Hi, the ks generation code is as follows:
ks = new DESKeySpec(someKeyString.getBytes()); And i checked that the values of ks are the same on both the phone VM and the SUN VM, because in the past I had problems when String#getBytes () was used without specifying a proper CharEncoding. Back then getBytes() executed on a String on a Windows machine gave a different result than on a Linux machine, since the default character encoding (which is considered in the no-parameter version of getBytes()) was different on the two systems. But this time, that is not the problem, so I am 100% sure that line 3 - kf.generateSecret(ks) - is the problem, since it does not do anything with the key ks. Btw. in the post that I linked to, I was responding to myself, because I found a solution already. Maybe have a look at it again. I even explain a work around. I just thought I post a link to it here, since this is the security list. Cheers. On 30 Jun., 18:52, "Anders Rundgren" <[email protected]> wrote: > If I understand your bug report correctly only line 2 and 3 are actually > involved. > You left out the creation of "ks". > BTW, I don't see MD5 anywhere. > > It would being by looking into the ks stuff. > > I hope this was of some help! > > Anders > > ----- Original Message ----- > From: "nleiptv" <[email protected]> > To: "Android Security Discussions" <[email protected]> > Sent: Tuesday, June 30, 2009 17:33 > Subject: [android-security-discuss] Problem with Crypto APIs between Android > and SUN Java > > Hi all, > > I posted a message to the Android Developers list about problems with > the crypto API. > > In fact the Bouncy Castle API on the phone seems to have a bug when > executing the following code: > > 1 Mac hmac = Mac.getInstance("HmacSHA256"); > 2 SecretKeyFactory kf = SecretKeyFactory.getInstance("DES"); > 3 Key k = kf.generateSecret(ks); > 4 hmac.init(k); > 5 finalKey = hmac.doFinal(s); > > The secret key k in line 3 differs when the above code is executed on > the phone and on a SUN JVM, making it almost impossible to do proper > authentication between a client on the phone and a server that is run > on a SUN JVM. > > The post is > here:http://groups.google.com/group/android-developers/browse_thread/threa... > I think this might be interesting for some here.
