While trying to carry out an encryption and decryption process on an Android environment, i have the below log.
com.s.sdk.security.SMException: Error loading Local Master Keys, file:
"/cfg/lmktest.lmk" does not exist. Please specify a valid LMK file, or
rebuild a new one. 09-21 11:56:31.792 16182-16182/com.mpos.sdk
W/System.err: at
com.s.sdk.security.jceadapter.JCESecurityModule.init(JCESecurityModule.java:1785)
09-21 11:56:31.792 16182-16182/com.mpos.sdk W/System.err: at
com.s.sdk.security.jceadapter.JCESecurityModule.(JCESecurityModule.java:159)
The reason why I will want to make use of JPOS is simply because I will want to carry out a financial transaction, which will be used in packaging my message.
For the encryption and decryption of data, I am to make use of this JCESecurityModule which works well on other platform, but not on the android OS.
NOTE: The file location in my android studio is app/cfg/test.lmk
I was able to get this file from the JPOS-master on github found in the jPOS-master\jPOS-master\jpos\src\test\resources\org\jpos\security
i.e the lmk-test
which was been used this way
JCESecurityModule sm = new JCESecurityModule("app/cfg/test.lmk");
I have also tried rebuilidng the lmk file, using the below method
public JCESecurityModule (String lmkFile) throws SMException
{
init(null, lmkFile, true);
}
which can be found in the JCESecurityModule class (JPOS)
was still having same issue in loading the lmk file
Thanks
For the sake of completeness, this was also asked on the jPOS's Google Group, and discussed there. https://groups.google.com/forum/#!topic/jpos-users/X3r_PX7lgd4
The encryption was done by a device which is to be connected to a mobile phone to carrying out transactions, but the device makers actually did it this way to provide end to end encryption which you are circumventing. You don't need jpos in the device. You need it at your centrally deployed servers, where you would use real HSMs.
by Victor Salaman
in JPOS users google group https://groups.google.com/forum/#!topic/jpos-users/X3r_PX7lgd4
but you can still carry out the encryption and decryption using some other Module instead of the JCESecurityModule (if the problem still persist). e.g. using the SunJCE
Related
I work on application that communicate with a custom SIM card with use of Android OMAPI. The application had worked, before I updated Google Pixel to Android 13. Since then, when openLogicalChannel of the Session is called, I get the exception below with scarce information:
Caused by: java.io.IOException: OpenLogicalChannel() failed
at android.se.omapi.Session.openLogicalChannel(Session.java:322)
at android.se.omapi.Session.openLogicalChannel(Session.java:359)
I haven't found any information about OMAPI changes or additional permission in Androdid 13 documentation.
isSecureElementPresent of Reader returns true.
Does anybody have any clues?
As you commented you are not using Android carrier privileges. I'm wondering how this was ever working in your case. In all my setups I needed it for accessing the SEService. The Access Control Enforcer was always checking the access properly in my Pixel devices. Was your previous Pixel device rooted before?
Please try to add the hash of your signing certificate to the ARA or use a generic allow all rule. Maybe you can install this allow all applet on the SIM. For analyzing the APDU traffic I have written an XPosed module displaying additional log messages in the Android radio log.
I have an Android app that uses the Android secure keystore to encrypt/decrypt account information.
The min SDK is set to 23 so a valid keystore should always be available, however, I've had a small number of crash reports about keystore failures with one in particular from a Essential PH1 phone running Android 10.
The error reported is the following
Non-fatal Exception: java.security.InvalidKeyException
Keystore operation failed
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1362)
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1402)
android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit (KeyStoreCryptoOperationUtils.java:54)
android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:89)
android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:265)
android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:148)
javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2980)
javax.crypto.Cipher.tryCombinations (Cipher.java:2891)
javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2796)
javax.crypto.Cipher.chooseProvider (Cipher.java:773)
javax.crypto.Cipher.init (Cipher.java:1288)
javax.crypto.Cipher.init (Cipher.java:1223)
Caused by android.security.KeyStoreException
-62
android.security.KeyStore.getKeyStoreException (KeyStore.java:1292)
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1402)
android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit (KeyStoreCryptoOperationUtils.java:54)
android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:89)
android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:265)
android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:148)
javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2980)
javax.crypto.Cipher.tryCombinations (Cipher.java:2891)
javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2796)
javax.crypto.Cipher.chooseProvider (Cipher.java:773)
javax.crypto.Cipher.init (Cipher.java:1288)
javax.crypto.Cipher.init (Cipher.java:1223)
It also seems to fail on different occasions getting the key
Caused by android.security.KeyStoreException
-62
android.security.KeyStore.getKeyStoreException (KeyStore.java:839)
android.security.keystore.AndroidKeyStoreProvider.getKeyCharacteristics (AndroidKeyStoreProvider.java:236)
android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore (AndroidKeyStoreProvider.java:356)
android.security.keystore.AndroidKeyStoreSpi.engineGetKey (AndroidKeyStoreSpi.java:101)
java.security.KeyStore.getKey (KeyStore.java:1062)
I've scoured the internet and the Android source code for some information on error -62 and found nothing besides a report containing the same error for 'signal' which doesn't appear to have ever been resolved
https://github.com/signalapp/Signal-Android/issues/8589
I've no idea what's causing this or why when it works on literally every other device.
If someone can shed some light on this issue it would be greatly appreciated.
If it makes a difference I'm using AES 128 encryption with GCMParameterSpec and a fixed IV.
The key is created with the following parameters
setBlockModes(KeyProperties.BLOCK_MODE_GCM)
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
setKeySize(128)
setRandomizedEncryptionRequired(false)
EDIT
I've finally found the error definition and description here
https://source.android.com/reference/hal/structkeymaster2__device
KM_ERROR_KEY_REQUIRES_UPGRADE = -62,
keymaster_error_t (* upgrade_key)(const struct keymaster2_device *dev, const keymaster_key_blob_t *key_to_upgrade, const keymaster_key_param_set_t *upgrade_params, keymaster_key_blob_t *upgraded_key)
Upgrades an old key. Keys can become "old" in two ways: Keymaster can be upgraded to a new version, or the system can be updated to invalidate the OS version and/or patch level. In either case, attempts to use an old key will result in keymaster returning KM_ERROR_KEY_REQUIRES_UPGRADE. This method should then be called to upgrade the key.
Parameters
[in] dev The keymaster device structure.
[in] key_to_upgrade The keymaster key to upgrade.
[in] upgrade_params Parameters needed to complete the upgrade. In particular, KM_TAG_APPLICATION_ID and KM_TAG_APPLICATION_DATA will be required if they were defined for the key.
[out] upgraded_key The upgraded key blob.
This would suggest security patches or otherwise updating the OS requires keys to be upgraded. This doesn't make sense though as it occurs every time starting the app and the OS definitely isn't being updated that often.
The function 'upgrade_key' seems to be part of the Android system and isn't even accessible from the java side. How on earth are you meant to handle this error?
As an app developer you are not meant to handle this error. This gets handled, transparently, by the keystore daemon. If it trickles all the way up to the application, something has gone seriously wrong. There could be a bug in the keystore daemon or the underlying keymaster implementation.
If you can easily reproduce it, it would be helpful if you would file a bug report: https://developer.android.com/studio/debug/bug-report
I'm developing an Android application that uses U.are.U 4500 fingerprint reader to identify users. I already have a backend server, that uses SQL Server, to store and register user data and now I need my app to be able to read the user fingerprint and verify if this fingerprint matches any of the fingerprints on the database. Does anyone know a SDK that is able to do this comparison?
I'm using asia.kanopi.fingerscan package to read the user fingerprint and I already have the scan working, now I only need to get this image and compare to the data on the SQL database. I saw a few answers here on StackOverflow telling me to use openCV library for Android, but none of them could give me any lead on how to do it.
I based my development on this tutorial: https://medium.com/touch4it/fingerprint-external-scanner-with-usb-database-sdk-64c3ec5ea82d, but unfortunately I couldn't find the SDK IDKit Fingerprint SDK Mobile anywhere.
How can I sucessufully match the image with the one stored on the database?
For those who are still looking for an answer to this problem. It's been a while since I actually implemented my solution and, when I did it, I added this line to my app gradle file:
com.github.lmone:SourceAFIS-Android:v3.4.0-fix3
But now I can't seem to find the github link anywhere. Maybe the repository got deleted. If someone find it, please send it to me so I can update my answer here.
Besides that, if you can still add the library to your Android project, the basic idea is to use a FingerprintMatcher to compare two FingerprintTemplate.
Example:
FingerprintTemplate probe = new FingerprintTemplate().dpi(500).create(digital_byte_array);
while (result.next()) {
byte[] imgCandidate = digital_to_compare;
FingerprintTemplate candidate = new FingerprintTemplate()
.dpi(500)
.create(imgCandidate);
double score = new FingerprintMatcher()
.index(probe)
.match(candidate);
if (score >= 40) {
// Found a match
}
}
In my case, I found the performance a little slow. It was usable, but nothing compared to Android's built-in fingerprint device. Also, the bigger your digitals collection, the longer it will take to find a match.
The score of the match is up for you to decide what suits better your project. 40 was a reliable amount in my case. The same goes to the FingerprintTemplate dpi.
Also, the method .create() receives a byte[] as parameter.
EDIT
I found this link and I'm almost certain it is the library I used, but under a new repository name:
https://github.com/robertvazan/sourceafis-java
The docs looks just the same as the code I used: https://sourceafis.machinezoo.com/java
To match a user on server side, you have to use an AFIS server : https://en.wikipedia.org/wiki/Integrated_Automated_Fingerprint_Identification_System
Here some providers of AFIS solution:
http://www.neurotechnology.com/megamatcher.html
https://www.nec.com.au/expertise/safety-security/identity-access/fingerprint
https://www.innovatrics.com/innovatrics-abis/
https://www.dermalog.com/products/software/civil-afis-abis/
http://www.m2sys.com/automated-fingerprint-identification-system-afis/
I am currently working on an embedded Android application. At present, we have released our device at a small scale and are trying to diagnose some of the problems that users are reporting. Currently, we are writing our logs locally to files on the SD card, but that is obviously a very limited solution.
We have a solution in mind which would involve creating a service to upload our logs automatically, but first I was wondering if there is any standard way to gather logs?
You can use a logging service like Loggly. Install an Android library to log to Loggly, such as Timber-Loggly. You can then start logging.
To make it easier to log to all of your loggers, create a logging function such as:
public static function dLog(String message) {
Log.d(TAG, message);
Timber.d(message);
}
can anyone help me with the following question please:
My Android-App is able to send the data via https when compiling the debug-version, but the release version fails there.
The https certificate is not self-signed and the whitelist plugin is working.
Interesting is, that if the debug version is installed and then the release version is installed without deinstalling the debug-version, everything works out well.
Can anyone help me here? Thank you in advance!
Problem solution:
The SSL-Chain was the problem for me.
1) To check if this might be an issue for your app, too, you may go to:
https://www.digicert.com/help/
Type in your domain (if already available online) and test your SSL-Configuration. If the last point does not say "SSL Certificate is correctly installed" and you bought your certificate from a trustworthy authority, this website already hints you at an issue you might have with the intermediate certificates.
2) Fix issue:
a) The intermediate certificates neccessary came with that SSL.rar-file you've once gotten. With the provider I had chosen, they sent me three .pem files (besides of other files of course) named:
01_COMODO_RSA_Organization_Validation_Secure_Server_CA, 02_COMODO_RSA_Certification_Authority,
03_AddTrust_External_CA_Root
Other authorities might send you something like someName.ca-bundle. That's the same thing, as far as I understood it, and so can skip this a) part.
Concatenate the plain text of these three files, meaning store them in another file - altogether. No additional text changes neccessary. When storing this file, make sure it has the .crt file ending.
b) Upload your chosenName.crt to your server into the same folder your ssl.crt is stored in already.
c) Make this new file known within the system. In your .config file (e.g. default-ssl.conf), the same file you once added the paths to your "ssl".crt and .key in, set "SSLCertificateChainFile" to - example path: "/etc/ssl/ssl.crt/chosenName.crt" - and update the certficates (I used the command update-ca-certificates, but I'm not sure if this was neccessary at all.)
d) Stop and start your webserver. If an error message regarding wrong configuration is displayed, you have probably misstyped the path to the file or it's name and so it cannot be found. If your webserver starts successfully, you're done.
Another check on the link above (I am not allowed to have more than 2 links within this post) should now show you the SSL-Chain (containing now 4 instead of 1 certificate_s) and the above mentioned "SSL successfully installed" message should appear.
Hopefully this will help you!
Further info:
Whether you need this SSL-Chain with 4 certificates or not is probably something that can vary. I looked it up on the comodo-support site because that was the SSL-certificate authority I had to deal with:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate