If I understand your bug report correctly only line 2 and 3 are actually involved. You left out the creation of "ks". BTW, I don't see MD5 anywhere.
It would being by looking into the ks stuff. I hope this was of some help! Anders ----- Original Message ----- From: "nleiptv" <[email protected]> To: "Android Security Discussions" <[email protected]> Sent: Tuesday, June 30, 2009 17:33 Subject: [android-security-discuss] Problem with Crypto APIs between Android and SUN Java Hi all, I posted a message to the Android Developers list about problems with the crypto API. In fact the Bouncy Castle API on the phone seems to have a bug when executing the following code: 1 Mac hmac = Mac.getInstance("HmacSHA256"); 2 SecretKeyFactory kf = SecretKeyFactory.getInstance("DES"); 3 Key k = kf.generateSecret(ks); 4 hmac.init(k); 5 finalKey = hmac.doFinal(s); The secret key k in line 3 differs when the above code is executed on the phone and on a SUN JVM, making it almost impossible to do proper authentication between a client on the phone and a server that is run on a SUN JVM. The post is here: http://groups.google.com/group/android-developers/browse_thread/thread/b8bd276a07b5bd09 I think this might be interesting for some here.
