XadesProfileResolutionException in Android

[luisgoncalves]

Following this question in S.O., we need to investigate the reason for the exception. Is it actually possible to run xades4j as is on Android?

Full strack trace: https://pastebin.com/DXPG91DV.

Sample Android app: https://github.com/treekt/xadesSigning

First choose document xml, next choose certificate and type password. And last step - click sign button... If password is okey and you selected every files then app throw away the XadesProfileResolutionException. And remember about permissions in Android Settings App because in another case app throw UnexpectedJCAException

[luisgoncalves]

/CC @treekt, @jzeferino

[luisgoncalves]

@treekt can you hard-code some XML and certificate files in the sample itself? Makes it easier to test... You can use test certs from the xades4j repo, if needed.

[treekt]

I have tried but in Android If i want to get file from resources I get InputStream and thats problem because in Xades4j I have to provide cert path for create KeyingDataProvide etc..

[luisgoncalves]

You'd need to create a new class derived from the abstract KeyStoreKeyingDataProvider... Anyway, I guess we can go forward with this.

[jzeferino]

@treekt witch android version are you running the app?
Its a real device or emulator?

Can you please try to test again with the files below and give the output please?

Download the LG.pfx and use the password: mykeypass
Use this xml.
Also can you please target API 26. replace this with your actual gradle.

[treekt]

Its Android 7.0, Huawei P9 Lite, so its real device.
I have added your gradle settings but I had to change buildToolsVersion to 27.0.3.
When I used these files I received this stack trace: https://pastebin.com/DJ0yQyAF
But when I try sign document with my own cert I receive previous stack trace.

In addition I pushed changes to remote.

[treekt]

I commented out these lines:
// if (keyingProvider.getSigningCertificateChain().isEmpty()) { // throw new IllegalArgumentException("Nie mozna zainicializowac magazynu kluczy ze sciezki: " + pfxPath); // }

And then above stack trace is absent but again app throw XadesProfileResolutionException
Stack trace: https://pastebin.com/1PiWwHhp

[jzeferino]

@treekt any chance for you to share your certificate or a copy of it?
Because when you used the certificate I told you I got the same exception as I you. But I don't get the XadesProfileResolutionException yet, maybe its due to your certificate nature.

[treekt]

Unfortunately no because Its certificate from my company.
But XadesProfileResolutionException is throwing with my cert and even cert xades4j repo test.
So I think its problem on the side library, not cert.

[treekt]

@jzeferino When I used cert which you told me I got SigningKeyException but after remove this problem I got again XadesProfileResolutionException. You didnt get it ?

[jzeferino]

@treekt how did you:

but after remove this problem I got again XadesProfileResolutionException

?

[treekt]

I said a few posts above..
I commented out these lines:
// if (keyingProvider.getSigningCertificateChain().isEmpty()) { // throw new IllegalArgumentException("Nie mozna zainicializowac magazynu kluczy ze sciezki: " + pfxPath); // }

[jzeferino]

@treekt after commented the line you told I've got the xades4j.providers.SigningKeyException: XadesProfileResolutionException.

Now I will see what I can do with @luisgoncalves.

[luisgoncalves]

I've been looking through the stack trace and googling a bit... It seems that Guice uses a lot of reflection (and maybe code generation?) in runtime, which may be the issue. In the stack trace we have:

at com.google.inject.internal.cglib.reflect.FastClassEmitter.<init>(FastClassEmitter.java:69)
                     at com.google.inject.internal.cglib.reflect.FastClass$Generator.generateClass(FastClass.java:72)
                     at com.google.inject.internal.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
                     at com.google.inject.internal.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:216)
                     at com.google.inject.internal.cglib.reflect.FastClass$Generator.create(FastClass.java:64)
                     at com.google.inject.internal.BytecodeGen.newFastClass(BytecodeGen.java:166)

Some links:

• https://stackoverflow.com/questions/7812885/does-it-make-sense-to-use-guice-for-android
• https://medium.com/@goofyahead/dependency-injection-in-android-2321f0256756
• https://stackoverflow.com/questions/14454686/android-rhino-error-cant-load-this-type-of-class-file
• https://stackoverflow.com/questions/9488938/what-makes-guice-unable-to-run-on-android-except-as-guice-no-aop

Could it be that Android (or some security setting?) prevents such operations? I'll try to find more infos...

[luisgoncalves]

OK, it it really seems related to byte-code generation: https://github.com/google/guice/wiki/OptionalAOP. They mention "cglib" in the AOP version, which is part of the code path in the stack trace..,

I think xades4j is not using interception, so maybe it could run with "Guice no-AOP". Not sure if it would be enough to drop the no-AOP jar in the app binaries and try it. If not, we'd have to change the dependency in xades4j build, see if everything plays out, and try this with a new jar.

[luisgoncalves]

I was looking a bit more into this:

• xades4j depends on Guice multibindings, which depends on Guice (with AOP).
• Tried including the no-AOP version explicitly but started getting errors on build/tests.

Conclusion so far is: unless there's something that could make AOP/byte code generation work in Android, there isn't a quick fix for the issue at hands.

Other ideas:

• Further investigate the errors with the AOP version
• Change xades4j implementation to not use the Guice multibindings and rely solely on the no-AOP package to see how it goes.

[treekt]

I have tried replace default Guice in your library to no-aop version by changing dependendcy
<dependency> <groupId>com.google.inject</groupId> <artifactId>guice</artifactId> <version>4.2.0</version> <classifier>no_aop</classifier> </dependency>
And after that, during signing I got error with JAXB because Android doesnt support this.
Could you try replace xml library another one?

[luisgoncalves]

Did you have any issues with upgrading Guice?
I'm not much into existing XML libraries.. I don't know if there is an easy replacement (with code generation et al to avoid changing a lot in the xades4j source).

[developerAndroid098]

@treekt - did you resolve this issue ?

[lexboss777]

bump

[luisgoncalves]

@lexboss93 this is a tricky one, mostly due to JAXB issues reported by @treekt. The Guice AOP/multibindings problem could probably be worked around by changing the internal DI configuration, but replacing JAXB is a much bigger endeavor, as it is a big rewrite on the lib and, from what I found, there aren't good alternatives for Android.