Ok, let's look... 1) Java java version "1.7.0_25" Java(TM) SE Runtime Environment (build 1.7.0_25-b17) Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)
Funny thing - getClientAliases is never called, but chooseClientAlias picks proper alias anyway chooseClientAlias([RSA, DSA, EC], [EMAILADDRESS=some.em...@gmail.com, CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) Client alias: some-alias Private Key: RSA Private CRT Key ===== got successful response from server 2) Android emulator (Intel Atom x86) and Fly IQ256 Android 2.3.3 and Android 2.3.6 chooseClientAlias([RSA, DSA, EC], [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) Client alias: some-alias Private Key: RSA Private CRT Key ===== got successful response from server !!! But !!! There is one very funny thing - trying to print chain with Arrays.toString(keyManager.getCertificateChain(alias)) results in exception: 09-26 18:00:12.410: E/GetUserProfileLoader(1852): java.lang.RuntimeException: algorithm identifier 1.2.840.10045.2.1 in key not recognised 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at org.bouncycastle.jce.provider.JDKKeyFactory.createPublicKeyFromPublicKeyInfo(JDKKeyFactory.java:279) 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at org.bouncycastle.jce.provider.X509CertificateObject.getPublicKey(X509CertificateObject.java:518) 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at org.bouncycastle.jce.provider.X509CertificateObject.toString(X509CertificateObject.java:622) 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at java.lang.StringBuilder.append(StringBuilder.java:203) 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at java.util.Arrays.toString(Arrays.java:2358) 3) Asus Nexus 7 Android 4.2.2 (CyanogenMod) chooseClientAlias([RSA, DSA, EC], [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) chooseClientAlias=null ==== failed on javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x68a638a8: Failure in SSL library, usually a protocol error error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (external/openssl/ssl/s3_pkt.c:1290 0x683bf648:0x00000003) 4) Genymotion Nexus S Android 4.2.2 chooseClientAlias([RSA, DSA, EC], [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) chooseClientAlias=null ==== failed on javax.net.ssl.SSLException: Connection closed by peer at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method) P.S. FlyIQ256 has enabled by default NativeCrypto debug output so i've attached it 2013/9/26 Brian Carlstrom <b...@google.com> > What arguments are being passed to getClientAliases for the keyType > and issuers? If your server is sending issuers that don't include the > issuer of the certs in your KeyStore, you will get null. If keyType is > null, it also return null. > > Looking at the history of the code, it changed in 3.0 to support > elliptic curve. I also added tests at this time to try and make sure > we match the reference implementation. The SSLSocket implementation > changed a lot in 2.3, so 2.x too vague to know if it is due to > potential changes to how the SSLSocket calls the key manager. > > -bri > > On Wed, Sep 25, 2013 at 3:18 AM, Olexandr Tereshchuk <riv...@gmail.com> > wrote: > > I faced the problem described here at first > > > http://stackoverflow.com/questions/18824733/sslcontext-and-pkcs12-keystore-works-on-jvm-but-not-on-android > > > > But then i've found that connection fails only on 4.x (3.x possibly too > but > > not tested) so lately i created a simple wrapper around X509KeyManager > class > > and the result is that i always get null from getClientAliases and > therefore > > from chooseClientAlias methods and no private key returned(no alias - no > > key) > > > > Have anyone faced same problems ? I believe that new version of > > X509KeyManager behaves properly but i can't understand why there is so > > difference in behavior among JVM + Android 2.* and Android 4.* > > > > **P.S.** There similar problems, i think, guys have here > > > https://groups.google.com/forum/#!topic/android-security-discuss/Qhoy401dsRI > > or > > > http://stackoverflow.com/questions/8776952/ssl-client-authentication-broken-in-android-4-0 > > but it hard to say what was the working solution of their problem. The > > quickest solution i've found is just to return hardcoded alias in > > chooseClientAlias but it's kinda lame :) > > > > **P.S.2** There are tons(!), literally tons of articles how to trust > > self-signed certificate but only a few about keystores... guys c'mon. I > wish > > DevBytes come up another day with some SSL\Encryption talk instead of > > another animation thing... :) > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to android-security-discuss+unsubscr...@googlegroups.com. > > To post to this group, send email to > > android-security-discuss@googlegroups.com. > > Visit this group at > http://groups.google.com/group/android-security-discuss. > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
09-26 21:06:40.565: I/System.out(1432): /188.40.208.179:5062(0) 09-26 21:06:40.565: I/OSNetworkSystem(1432): OSNetworkSystem_connect fd=-1; timeout = 60000 09-26 21:06:40.600: I/Settings/BW(475): ReadCodeTask:TimerTask: ReadCodeTask.run() 09-26 21:06:40.600: I/Settings/BW(475): ReadCodeTask:sendWarningMessage() called. 09-26 21:06:40.601: I/Settings/BW(475): ReadCodeTask:line content: 0 09-26 21:06:40.601: I/Settings/BW(475): ReadCodeTask:notify code is 0 09-26 21:06:40.601: I/Settings/BW(475): ReadCodeTask:getWarningMessage() called.Event: 0 09-26 21:06:40.634: I/System.out(1432): Socket[addr=/0.0.0.0,port=0,localport=43842] 09-26 21:06:40.645: D/NativeCrypto(1432): ssl=0x279568 NativeCrypto_SSL_do_handshake fd=0x405743a8 shc=0x40574288 timeout=0 client_mode=1 09-26 21:06:40.645: D/NativeCrypto(1432): doing handshake ++ 09-26 21:06:40.646: D/NativeCrypto(1432): doing handshake -- ret=-1 09-26 21:06:40.646: D/NativeCrypto(1432): ssl=0x279568 NativeCrypto_SSL_do_handshake ret=-1 errno=11 sslError=2 timeout=0 09-26 21:06:40.647: D/NativeCrypto(1432): sslSelect type=READ fd=48 appData=0x27e8b0 timeout=0 09-26 21:06:40.695: D/NativeCrypto(1432): sslSelect READ fd=48 appData=0x27e8b0 timeout=0 => 1 09-26 21:06:40.695: D/NativeCrypto(1432): doing handshake ++ 09-26 21:06:40.717: D/123123(1432): chooseClientAlias([RSA, DSA, EC], [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) 09-26 21:06:40.726: D/123123(1432): chooseClientAlias=some-alias 09-26 21:06:40.730: D/123123(1432): pk=RSA Private CRT Key 09-26 21:06:40.730: D/123123(1432): modulus: c86020912d3496fc8364e3af9ae4a4eaaa95bb06f7816361ad8ad1d05d2111dbcda00f2c0da14c774919173d65db1eb5ed2180e397277ca8f7578fa10cddcccae0195ea0632da7f2cbf745f933cde7cdef5807833bcb095aa21a74b10c4d19b4987621787441e73b985d6277a91665eab229831905e96af97d0ac3004f4f4dcd 09-26 21:06:40.730: D/123123(1432): public exponent: 10001 09-26 21:06:40.730: D/123123(1432): private exponent: 566bef5fee29627da2861f159c2ec55a591c9f3fcffc444adab8a6e9c16103fcd361176a1eaed4f615d6f6890aa7494599f2fb4e2de16008d83531c37a7327620d51a002419638007ee048f04ed0d9988497d22bcaa4955724ebad9b11fb16cbd8b20bfc554168272514c9b2a19e4556281215e786a6a5728e9e87bdafacab01 09-26 21:06:40.730: D/123123(1432): primeP: ed9a73c2a33e8391345632d896070d4199645a6dac7424e0be1b958b730ac1979638f9a3ba45a1bf70afeacfc9b58aa330d539f86b1a9f589325b001470c83a1 09-26 21:06:40.730: D/123123(1432): primeQ: d7e3c7beb4e60d83ed84592198bfb1f171c0d2ffe37df214fa28c3844ced4688dca770b2dc62b59a774e45f067dfe0fb32a434074b8136bde072a105f4fc1aad 09-26 21:06:40.730: D/123123(1432): primeExponentP: 75c088c41a20de153529cef3158f131bc28840648005e34cda0a53979380ee2650d595aa75a312a10c98b2371e10f14f24e157646cb7f9e66cae4dc6a44e6861 09-26 21:06:40.730: D/123123(1432): primeExponentQ: 9e0b5149ea125428957382f0966b173042ef3f4836d917a485b1dbd7f99ce63b0115ceea116e6db5e3cb386613151115b3f0036aa7bab341739357100e55948d 09-26 21:06:40.730: D/123123(1432): crtCoefficient: 667da7fc90843b7694cfa9dec13e5daf7cae61c03692e900278259892d5270caa83f3e2a2db8de21b6dd541a7a8134e1c176f7e618bbc7c4efea924d1b4374a7 09-26 21:06:40.758: D/NativeCrypto(1432): doing handshake -- ret=1 09-26 21:06:40.775: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 32 bytes... 09-26 21:06:40.775: D/NativeCrypto(1432): Doing SSL_write() with 32 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.775: D/NativeCrypto(1432): Returned from SSL_write() with result 32, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.775: D/NativeCrypto(1432): Successfully wrote 32 bytes 09-26 21:06:40.775: D/NativeCrypto(1432): Entering sslRead, caller requests to read 32 bytes timeout=0... 09-26 21:06:40.775: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.775: D/NativeCrypto(1432): Returned from SSL_Read() with result -1, error code 2 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.776: D/NativeCrypto(1432): sslSelect type=READ fd=48 appData=0x27e8b0 timeout=0 09-26 21:06:40.854: D/NativeCrypto(1432): sslSelect READ fd=48 appData=0x27e8b0 timeout=0 => 1 09-26 21:06:40.854: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.855: D/NativeCrypto(1432): Returned from SSL_Read() with result -1, error code 2 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.855: D/NativeCrypto(1432): sslSelect type=READ fd=48 appData=0x27e8b0 timeout=0 09-26 21:06:40.904: D/NativeCrypto(1432): sslSelect READ fd=48 appData=0x27e8b0 timeout=0 => 1 09-26 21:06:40.904: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.904: D/NativeCrypto(1432): Returned from SSL_Read() with result 32, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.919: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 1 bytes... 09-26 21:06:40.919: D/NativeCrypto(1432): Doing SSL_write() with 1 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.920: D/NativeCrypto(1432): Returned from SSL_write() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.920: D/NativeCrypto(1432): Successfully wrote 1 bytes 09-26 21:06:40.920: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 1 bytes... 09-26 21:06:40.920: D/NativeCrypto(1432): Doing SSL_write() with 1 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.920: D/NativeCrypto(1432): Returned from SSL_write() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.920: D/NativeCrypto(1432): Successfully wrote 1 bytes 09-26 21:06:40.921: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 1 bytes... 09-26 21:06:40.921: D/NativeCrypto(1432): Doing SSL_write() with 1 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.921: D/NativeCrypto(1432): Returned from SSL_write() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.921: D/NativeCrypto(1432): Successfully wrote 1 bytes 09-26 21:06:40.921: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 1 bytes... 09-26 21:06:40.921: D/NativeCrypto(1432): Doing SSL_write() with 1 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.921: D/NativeCrypto(1432): Returned from SSL_write() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.921: D/NativeCrypto(1432): Successfully wrote 1 bytes 09-26 21:06:40.922: D/NativeCrypto(1432): Entering sslWrite(), caller requests to write 4 bytes... 09-26 21:06:40.922: D/NativeCrypto(1432): Doing SSL_write() with 4 bytes to go ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.922: D/NativeCrypto(1432): Returned from SSL_write() with result 4, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.922: D/NativeCrypto(1432): Successfully wrote 4 bytes 09-26 21:06:40.922: D/NativeCrypto(1432): Entering sslRead, caller requests to read 1 bytes timeout=0... 09-26 21:06:40.922: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.922: D/NativeCrypto(1432): Returned from SSL_Read() with result -1, error code 2 ssl=0x279568, appData=0x27e8b0 09-26 21:06:40.923: D/NativeCrypto(1432): sslSelect type=READ fd=48 appData=0x27e8b0 timeout=0 09-26 21:06:41.054: D/NativeCrypto(1432): sslSelect READ fd=48 appData=0x27e8b0 timeout=0 => 1 09-26 21:06:41.054: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.054: D/NativeCrypto(1432): Returned from SSL_Read() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Entering sslRead, caller requests to read 1 bytes timeout=0... 09-26 21:06:41.055: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Returned from SSL_Read() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Entering sslRead, caller requests to read 1 bytes timeout=0... 09-26 21:06:41.055: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Returned from SSL_Read() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Entering sslRead, caller requests to read 1 bytes timeout=0... 09-26 21:06:41.055: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.055: D/NativeCrypto(1432): Returned from SSL_Read() with result 1, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.056: D/NativeCrypto(1432): Entering sslRead, caller requests to read 6 bytes timeout=0... 09-26 21:06:41.056: D/NativeCrypto(1432): Doing SSL_Read() ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.056: D/NativeCrypto(1432): Returned from SSL_Read() with result 6, error code 0 ssl=0x279568, appData=0x27e8b0 09-26 21:06:41.061: I/System.out(1432): close [socket][/0.0.0.0:43842]
