[Android-tools-devel] Bug#857027: non-ASCII passwords fail
Hans-Christoph Steiner
hans at eds.org
Tue Mar 7 10:32:05 UTC 2017
Package: apksigner
Version: 0.4+git162~g85a854b-1
Severity: severe
Tags: fixed-upstream upstream
upstream bug report
https://code.google.com/p/android/issues/detail?id=234089
When keytool and jarsigner obtain the keystore/key password via
stdin or console, contrary to the expectation of Java KeyStore API,
they do not appear to encrypt/decrypt the keystore/key using the
Unicode characters comprising the password. Instead, these tools
appear to convert the password to their encoded form (using the
console's character encoding) and then upcast each resulting Java byte
into a Java char. The keystore/key appears to be encrypted using the
resulting array of characters.
This behavior may be a remnant from the early days of Java when there
was no standard way to convert textual input obtained via stdin to
Unicode characters. The behavior is consistent with simply treating
each Java byte read via stdin as a Java char and then passing in the
resulting array of characters into KeyStore API as password.
Unfortunately, when the password is passed in into keytool/jarsigner
via the command-line, or when other tools (including apksigner) use
the Java KeyStore API to create/read keystores/keys, the above
strange behavior does not occur. As a result, there's a mismatch for
non-ASCII passwords.
More information about the Android-tools-devel
mailing list