Reputation: 1127
Client certificat bug with Jelly beans
With Android, I use a TLS connexion with mutual authentification with a client certificate created with this code.
private static X509Certificate generateX509V1Certificate(KeyPair pair, SecureRandom sr)
{
String dn="CN="+sUuid.toString();
final Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.HOUR, -1);
final Date startDate = new Date(calendar.getTimeInMillis());
calendar.add(Calendar.YEAR, 1);
final Date expiryDate = new Date(calendar.getTimeInMillis());
final BigInteger serialNumber =
BigInteger.valueOf(Math.abs(System.currentTimeMillis()));
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
X500Principal dnName = new X500Principal(dn);
certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(dnName);
certGen.setNotBefore(startDate);
certGen.setNotAfter(expiryDate);
certGen.setSubjectDN(dnName); // note: same as issuer
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
if (VERSION.SDK_INT<VERSION_CODES.GINGERBREAD)
return certGen.generateX509Certificate(pair.getPrivate(), "BC");
else
return certGen.generate(pair.getPrivate(), sr);
}
The key pair algorithm is "RSA". The cipher algorithm is "RSA/ECB/PKCS1Padding".
It's work fine before Jelly Bean version.
With Jelly bean, I receive an error when I invoke
socket.getSession().getPeerCertificates()
The process was killed with in the log :
E/NativeCrypto(1133): error:140C10F7:SSL routines:SSL_SET_PKEY:unknown certificate type
A/libc(1133): Fatal signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 1233 (AsyncTask #1)
I have no idea how I can resolve this bug.
Can you help me ?
Upvotes: 4
Views: 836
Answers (2)
Reputation: 1061
I just had this issue and one more with following error: Fatal signal 11 (SIGSEGV) at 0x3f80005c (code=1), thread 11709 (FinalizerDaemon)
They started happening at random when I upgraded to 4.1.1 on Galaxy S3 on an application that uses client SSL authentication by consuming keys from the KeyChain API.
It worked fine on 4.0.4 (fortunatelly I managed to downgrade).
I'm not 100% sure but 4.1.1 seems to have quite a few bugs related to the SSL - check this one: http://code.google.com/p/android/issues/detail?id=35141 and also this one: http://code.google.com/p/android/issues/detail?id=34577 (might not be that relevant for the current case) Also in this forum post: https://groups.google.com/forum/?fromgroups=#!topic/android-developers/Lj2iHX4prds there is a mention about SEGFAULT when doing GC on the PrivateKey object returned from the KeyChain API.
So as an final advise - stay on 4.0.4 as long as possible or go to 4.1.2 - there seems to be some bug fixes.
Also I can confirm that the two issues that I had are not present on the 4.1.2 emulator. There is no 4.1.2 image for Galaxy S3 so I'm not able to confirm them as fixed for a real device (don't have another one).
Hope that heps.
Upvotes: 2
Reputation: 52936
Dump the generated certificate to a file and try to parse it OpenSSL 1.0. That is the same code that Android uses to parse certificates, so it should help you find the error. Maybe they simply don't support v1 certificates anymore, you could try generating a v3 one.
Upvotes: 2
Related Questions
- Certificate is trusted by PC but not by Android
- SSL mutual authentication FAIL on Android Client accepts servers certificate but server does not get the client cert
- android does not trust a certificate
- HTTPS connection with client certificate in an android app
- 'No peer certificate' exception, but only on Mobile Data
- Client Certificate not working from Android - How to debug?
- Android and Client Certificates
- Client Certificate Android Https
- SSL Client Authentication Broken in Android 4.0
- Android 2.2 SSL Bug with client certificate?