On Fri, Jul 6, 2012 at 10:43 PM, H <[email protected]> wrote:
> Looking at the javadoc on Signature.verify(), it looks like it has fixed one
> bug and introduced another:
>
> "Indicates whether the given signature can be verified using the public key
> or a certificate of the signer.
> This Signature instance is reset to the state of its last initialization for
> verifying and thus can be used to
> verify another signature of the same signer."
>
> In 4.0 and below, the signature instance wasn't being reset correctly and
> was still valid and simply returned false if you tried to call verify()
> again. Now you have to update() it again before calling the verify() -
> otherwise you get a NullPointer. So I guess they have effectively fixed a
> previous bug and possibly caused a different bug.
I can confirm that you get a NPE on second call on 4.1. However,
the previous behaviour (returning false) seems correct, and is consistent
with Java SE (Oracle/SE). Since the signature value you are passing
is encoded properly, and the Signature object is initialized, throwing
SecurityException would be the wrong thing to do. Of course the
docs end with ', etc.', so you always argue that this case false in
the 'etc.' bucket :) Cf. Sun/Oracle JCE docs for verify():
Throws:
SignatureException - if this signature object is not initialized properly,
the passed-in signature is improperly encoded or of the wrong type, if this
signature algorithm is unable to process the input data provided, etc.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
