1

I have a problem with SSL certificates. I am using BouncyCastle, 1.46 and this has proven successful for 3.1. and 4.0 HW I tested on. However it fails on 2.3.5.

I have checked with android docs, and notice, while 1.46 of BC is successful for 3.1 and 4.04, 1.45 should do the trick for 2.3.5.

But it does not. I have tried the below code snippet where the BKS data mystore_gb has been generated using bcprov-jdk15-145.jar (I have tried jdk13-16 variants with this):

KeyStore trusted = KeyStore.getInstance("BKS");
InputStream in;
if (Build.VERSION.SDK_INT<11) {
  in = context.getResources().openRawResource(R.raw.mystore_gb);
} else {
  in = context.getResources().openRawResource(R.raw.mystore);
}

try {
  trusted.load(in, PWD.toCharArray());
} finally {
  in.close();
}

The script I use to generate seem to have resulted in Ok info, looks like:

#!/bin/bash

echo | openssl s_client -connect $1:443 2>&1 | \
 sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem


export CLASSPATH=bcprov-jdk15-145.jar
CERTSTORE=res/raw/mystore_gb.bks
if [ -a $CERTSTORE ]; then
    rm $CERTSTORE || exit 1
fi
keytool \
      -importcert \
      -v \
      -trustcacerts \
      -alias 0 \
      -file mycert.pem \
      -keystore $CERTSTORE \
      -storetype BKS \
      -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
      -providerpath ./ \
      -storepass $2

So why does not this work? I get

09-06 21:51:36.397: D/ServerBase(26999): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

My target HW has 2.3.5 Android, and should house also BouncyCastle of ver 1.45. If I generate a BC certificate using 1.45 and deploy it on my 2.3.5 HW, then it should be handled properly and give me the SSL connection.

What am I missing here ?

opaque
  • 394
  • 1
  • 10

1 Answers1

1

SSLPeerUnverifiedException isn't an issue with the certificate verification, it's an issue with the fact that the server didn't send a certificate. I doubt this has much to do with the version of BouncyCastle.

What you generate your certificate with shouldn't have anything to do with any of this, as long as the result is valid X.509. Here, you just seem to be importing an existing certificate, taking the server certificate you get on an initial connection as the reference.

The exception you're getting here is rather probably due to an issue with the chosen cipher suite and/or SSL/TLS version. (You could have a look at this question, including comments, although I'm not suggesting you should downgrade to SSLv3).

You could try various cipher suites and/or SSL/TLS versions with openssl s_client (e.g. -cipher option or combinations of -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, check the documentation for s_client). Some of this may be due to incorrect server configuration too.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I have checked with commands openssl s_client -tls1 -showcerts -connect :443 and similar with ssl3 and I get a chain of two certs and an err "verify error:num=19:self signed certificate in certificate chain" in both cases as I guess one would for a self signed certificate. The server is conf'ed with both TLSv1 and SSL3. – opaque Sep 07 '12 at 06:59
  • But I think your advice is worth follow and do some more digging. Realize now that the errors I get are :Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL. – opaque Sep 07 '12 at 08:03
  • Tried a lot of things, none worked. I have the server set to SSLProtocol all -SSLv2 and SSLCipherSuite ALL. Still no dice. The openssl s_client commands return certs for both TLS and SSL, although there is an error indicating that they are selfsigned. I have tried to force SSLv3 as proposed in the info in the linked page. I have tried to force a select number of cipher suites in the app. Nothing worked. Ohh, I had the checkServerTrusted() return without action. Got a connection in that case (took a long time). It was with forces SSLv3, had RC4-SHA cipher. Only time there were success. Unsafe. – opaque Sep 07 '12 at 11:50
  • Ok, digging deeper, I can see that my certs are loaded but checkServerTrusted() seem to reject my self signed CA. "NativeCrypto" is returning error code 2 (result 1). I conclude that the difference lay not with cipher suite nor server setup. This has to do with the fact that it is a self signed cert and 2.3.x is not easily coaxed into follow suite. Ill be happy if anybody can persuade my otherwise... I will have to default to an unsecure modus operandi for GB, and keep my original solution for 3.0 and onwards. Thank you Bruno, you were right. No shadow on BouncyShadow here. – opaque Sep 07 '12 at 13:36
  • In the end satisfied. The answer did not in itself resolve my problem, but still made me focus on other problems, so I could end up with a workable solution. (Not great but OK). I use insecure TrustManager for version prior to 3.0. But as of now the data is not of critical nature (game stats mostly). So: Thanks. – opaque Sep 14 '12 at 08:21