whorlwind icon indicating copy to clipboard operation
whorlwind copied to clipboard

Published 20 hours ago verified publisher icon square

Key generator uses RSA PKCS#1 v1.5 padding

Open sethkraut opened this issue 6 years ago • 2 comments

The key generator uses RSA PKCS#1 v1.5 padding, which has security issues. RSA Optimal Asymmetric Encryption Padding (OAEP) appears to be a better choice. Is it possible to switch or to allow configuration of the padding?

RealWhorlwind.java:155

sethkraut avatar Feb 19 '19 20:02 sethkraut

Looks like it would require bumping the min SDK to 23: https://developer.android.com/training/articles/keystore#SupportedAlgorithms

mattprecious avatar Feb 19 '19 21:02 mattprecious

Is there any reason not to use the stronger padding and then fall back to the weaker padding if the build version is lower? I noticed in the RealWhorlwind.java file there is already a check to see if the fingerprint or biometric permission should be used. Something similar could work for the padding. I can submit a PR if that would help.

Edit: And it appears that this class requires 23:

@RequiresApi(Build.VERSION_CODES.M)
final class RealWhorlwind extends Whorlwind {

jbryan26 avatar Feb 27 '19 12:02 jbryan26