Bouncycastle Security issue (Third party restriction on BlackBerry)
Please Login to Remove!
Hi,
I have an issue using Bouncycastle bouncycastle.org J2ME package for BB's (My Development environment is "NetBeans Mobility" - MIDP 2.0)
This is a only ONE existing unique package for J2ME MIDP used for securities encription\decription etc.
Since this packge consist of java/io/FilterInputStream.class ,java/io/FilterOutputStream.class,
java/math/BigInteger.class and java/security/SecureRandom.class which are
part of JDK .. BlackBerry throws a verification error ...
The BlackBerry handheld software enforced a restriction on third party applications where their package names can not contain any combination of the strings that were provided in the knowledge base article.
blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/796557/800451/800783/Support_-_Restricted_Package_Names.html?nodeid=817434&vernu m=0]Livelink - Redirection
This is a system check that occurs when an application is loaded/ran. This check does not occur on simulators that are not running in secure mode hence the reason why this sometimes runs through the BlackBerry handheld simulator. To resolve this issue, these classes must be moved to another package that does not contain any restriction.
Even after using "High" level of "Proguard" obfuscator (default for "Netbeans Mobility" 7.2) High obfuscation process BB can find out that it's still there ...
BlackBerry devices and simulators throws verification error.
and in the process of convertion to COD file (app. file for BB's) I have a few warnings like this one :
ae: Warning!: Duplicate method only differs by return type: a
ae: Warning!: Duplicate method only differs by return type: a
Parsing classfile: af.class
My understanding that overriding of JDK classes was checked on this level too (as far as I know any implementation should not override JDK classes )
Specifically, the import jar file, "cldc_classes.zip", is causing this
error message as four class files that are being imported use the java
package:
java/io/FilterInputStream.class
java/io/FilterOutputStream.class
java/math/BigInteger.class
java/security/SecureRandom.class
These class definitions much be moved to a different package (not
using the restricted package names) in order to function properly.
I double checked this - the below indicates that high obfuscation should
work on cellphones , but not on BB devices :
discussion.forum.nokia.com/forum/showthread.php?t=90558]Problem: Java.Security.SecureRandom does not exists - Developer Discussion Boards
The posting is only a month old.
This is an answer I've got from bouncycastle support
(feedback-crypto@bouncycastle.org) :
>These classes are necessary to fully support the lightweight API
>(without creating a duplicate source tree). The idea is to use an
>obfuscator after building the app to change the names of these before
>attempting to load it into a device.
Does anybody have a similar problem ???
|