CODEWITHSUNDEEP
androidsslbouncycastle
opaque
opaque

Reputation: 394

BouncyCastle version and SSL certificate acceptance

I have a problem with SSL certificates. I am using BouncyCastle, 1.46 and this has proven successful for 3.1. and 4.0 HW I tested on. However it fails on 2.3.5.

I have checked with android docs, and notice, while 1.46 of BC is successful for 3.1 and 4.04, 1.45 should do the trick for 2.3.5.

But it does not. I have tried the below code snippet where the BKS data mystore_gb has been generated using bcprov-jdk15-145.jar (I have tried jdk13-16 variants with this):

KeyStore trusted = KeyStore.getInstance("BKS");
InputStream in;
if (Build.VERSION.SDK_INT<11) {
  in = context.getResources().openRawResource(R.raw.mystore_gb);
} else {
  in = context.getResources().openRawResource(R.raw.mystore);
}

try {
  trusted.load(in, PWD.toCharArray());
} finally {
  in.close();
}

The script I use to generate seem to have resulted in Ok info, looks like:

#!/bin/bash

echo | openssl s_client -connect $1:443 2>&1 | \
 sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem


export CLASSPATH=bcprov-jdk15-145.jar
CERTSTORE=res/raw/mystore_gb.bks
if [ -a $CERTSTORE ]; then
    rm $CERTSTORE || exit 1
fi
keytool \
      -importcert \
      -v \
      -trustcacerts \
      -alias 0 \
      -file mycert.pem \
      -keystore $CERTSTORE \
      -storetype BKS \
      -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
      -providerpath ./ \
      -storepass $2

So why does not this work? I get

09-06 21:51:36.397: D/ServerBase(26999): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

My target HW has 2.3.5 Android, and should house also BouncyCastle of ver 1.45. If I generate a BC certificate using 1.45 and deploy it on my 2.3.5 HW, then it should be handled properly and give me the SSL connection.

What am I missing here ?

Upvotes: 1

Views: 1933

Answers (1)

Bruno
Bruno

Reputation: 122659

SSLPeerUnverifiedException isn't an issue with the certificate verification, it's an issue with the fact that the server didn't send a certificate. I doubt this has much to do with the version of BouncyCastle.

What you generate your certificate with shouldn't have anything to do with any of this, as long as the result is valid X.509. Here, you just seem to be importing an existing certificate, taking the server certificate you get on an initial connection as the reference.

The exception you're getting here is rather probably due to an issue with the chosen cipher suite and/or SSL/TLS version. (You could have a look at this question, including comments, although I'm not suggesting you should downgrade to SSLv3).

You could try various cipher suites and/or SSL/TLS versions with openssl s_client (e.g. -cipher option or combinations of -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, check the documentation for s_client). Some of this may be due to incorrect server configuration too.

Upvotes: 1

Related Questions