I save the RSA client
keys and CA certificate
in AndroidKeyStore
for later retrieval and creation of the SSL context. When I try to establish an SSL connection, I get javax.net.ssl.SSLHandshakeException: Handshake failed
.
If I use PKCS12 KeyStore
instead of AndroidKeyStore
, then the SSL connection is successful. But in the PKCS12 repository
, I can’t save the keys, unlike AndroidKeyStore
, I have to download them every time I connect. I suspect that the problem is that in PKCS12
and AndroidKeyStore
keys and certificates are stored in different formats. How can I solve this problem?
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
if (!keyStore.containsAlias("Client")) {
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(mCertPKCS12, password.toCharArray());
keyStore.setEntry("Client", ks.getEntry("Client", null), null);
keyStore.setEntry("Server", ks.getEntry("Server", null), null);
}
KeyStore.PrivateKeyEntry keyClient = (KeyStore.PrivateKeyEntry) keyStore.getEntry("Client", null);
if (keyClient != null)
Log.d("###", "keyClient=" + keyClient.toString());
Certificate certClient = keyClient.getCertificate();
if (certClient != null)
Log.d("###", "certClient=" + certClient.toString());
final Certificate certServer = keyStore.getCertificate("Server");
if (certServer != null)
Log.d("###", "certServer=" + certServer.toString());
// Build a TrustManager, that trusts only the server certificate
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
for (int j = 0; j < chain.length; j++) {
chain[j].checkValidity();
try {
chain[j].verify(certServer.getPublicKey());
} catch (NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException e) {
e.printStackTrace();
throw new CertificateException(e.getMessage());
}
}
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
String defaultAlg = KeyManagerFactory.getDefaultAlgorithm();
Log.d("aaa", "default cypher algorithm: " + defaultAlg);
// Build a KeyManager for Client auth
KeyManagerFactory kmf = KeyManagerFactory.getInstance(defaultAlg);
kmf.init(keyStore, null);
SSLContext sslc = SSLContext.getInstance("TLS");
sslc.init(kmf.getKeyManagers(), new TrustManager[]{tm}, null);
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x72c004a240: Failure in SSL library, usually a protocol error 2019-10-04 11:07:23.042 21015-21174/xxx.xxx.xxx W/System.err: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (external/boringssl/src/ssl/tls_record.cc:579 0x72c00149c0:0x00000001) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.SslWrapper.doHandshake(SslWrapper.java:374) 2019-10-04 11:07:23.043 21015-21174/xxx.xxx.xxx W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:217)
User contributions licensed under CC BY-SA 3.0