Using RSA keys from AndroidKeyStore to establish an SSL connection

I save the RSA client keys and CA certificate in AndroidKeyStore for later retrieval and creation of the SSL context. When I try to establish an SSL connection, I get javax.net.ssl.SSLHandshakeException: Handshake failed.

If I use PKCS12 KeyStore instead of AndroidKeyStore, then the SSL connection is successful. But in the PKCS12 repository, I can’t save the keys, unlike AndroidKeyStore, I have to download them every time I connect. I suspect that the problem is that in PKCS12 and AndroidKeyStore keys and certificates are stored in different formats. How can I solve this problem?

KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);

if (!keyStore.containsAlias("Client")) {
        KeyStore ks = KeyStore.getInstance("PKCS12");
        ks.load(mCertPKCS12, password.toCharArray());

        keyStore.setEntry("Client", ks.getEntry("Client", null), null);
        keyStore.setEntry("Server", ks.getEntry("Server", null), null);
}



KeyStore.PrivateKeyEntry keyClient = (KeyStore.PrivateKeyEntry)    keyStore.getEntry("Client", null);
if (keyClient != null)
    Log.d("###", "keyClient=" + keyClient.toString());

Certificate certClient = keyClient.getCertificate();
if (certClient != null)
    Log.d("###", "certClient=" + certClient.toString());

final Certificate certServer = keyStore.getCertificate("Server");
if (certServer != null)
    Log.d("###", "certServer=" + certServer.toString());

// Build a TrustManager, that trusts only the server certificate
TrustManager tm = new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        for (int j = 0; j < chain.length; j++) {
            chain[j].checkValidity();
            try {
                chain[j].verify(certServer.getPublicKey());
            } catch (NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException e) {
                e.printStackTrace();
                throw new CertificateException(e.getMessage());
            }
        }
    }

    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
};


String defaultAlg = KeyManagerFactory.getDefaultAlgorithm();
Log.d("aaa", "default cypher algorithm: " + defaultAlg);

// Build a KeyManager for Client auth
KeyManagerFactory kmf = KeyManagerFactory.getInstance(defaultAlg);
kmf.init(keyStore, null);

SSLContext sslc = SSLContext.getInstance("TLS");
sslc.init(kmf.getKeyManagers(), new TrustManager[]{tm}, null);

Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x72c004a240: Failure in SSL library, usually a protocol error 2019-10-04 11:07:23.042 21015-21174/xxx.xxx.xxx W/System.err: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (external/boringssl/src/ssl/tls_record.cc:579 0x72c00149c0:0x00000001) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.SslWrapper.doHandshake(SslWrapper.java:374) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:217)