On Thu, Sep 26, 2013 at 11:17 AM, Olexandr Tereshchuk <riv...@gmail.com>wrote:
> Ok, let's look... > 1) Java > java version "1.7.0_25" > Java(TM) SE Runtime Environment (build 1.7.0_25-b17) > Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode) > > Funny thing - getClientAliases is never called, but chooseClientAlias > picks proper alias anyway > chooseClientAlias([RSA, DSA, EC], [EMAILADDRESS=some.em...@gmail.com, > CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) > Client alias: some-alias > Private Key: RSA Private CRT Key > ===== got successful response from server > > 2) Android emulator (Intel Atom x86) and Fly IQ256 > Android 2.3.3 and Android 2.3.6 > > chooseClientAlias([RSA, DSA, EC], > [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, > CN=some, OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) > Client alias: some-alias > Private Key: RSA Private CRT Key > ===== got successful response from server > > !!! But !!! > There is one very funny thing - trying to print chain with > Arrays.toString(keyManager.getCertificateChain(alias)) results in exception: > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): > java.lang.RuntimeException: algorithm identifier 1.2.840.10045.2.1 in key > not recognised > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at > org.bouncycastle.jce.provider.JDKKeyFactory.createPublicKeyFromPublicKeyInfo(JDKKeyFactory.java:279) > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at > org.bouncycastle.jce.provider.X509CertificateObject.getPublicKey(X509CertificateObject.java:518) > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at > org.bouncycastle.jce.provider.X509CertificateObject.toString(X509CertificateObject.java:622) > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at > java.lang.StringBuilder.append(StringBuilder.java:203) > 09-26 18:00:12.410: E/GetUserProfileLoader(1852): at > java.util.Arrays.toString(Arrays.java:2358) > That OID is for an EC key. Would it be possible for you to put you test keys and certificates somewhere so the chain can be examined? It's possible that the signature OID for the CA is preventing a match for some reason. > 3) Asus Nexus 7 > Android 4.2.2 (CyanogenMod) > > chooseClientAlias([RSA, DSA, EC], > [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, > CN=some, > OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) > chooseClientAlias=null > ==== failed on > javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: > SSL handshake terminated: ssl=0x68a638a8: Failure in SSL library, usually a > protocol error > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure > (external/openssl/ssl/s3_pkt.c:1290 0x683bf648:0x00000003) > The server rejected the handshake since no certificate was sent by the client. Nothing surprising here. > 4) Genymotion Nexus S > Android 4.2.2 > > chooseClientAlias([RSA, DSA, > EC], > [OID.1.2.840.113549.1.9.1=#161B616C6578616E6465722E766F65766F646140676D61696C2E636F6D, > CN=some, > OU=CA, O=Company, L=Kiev, ST=Kiev, C=UA]) > chooseClientAlias=null > ==== failed on > javax.net.ssl.SSLException: Connection closed by peer > at > org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native > Method) > > > P.S. FlyIQ256 has enabled by default NativeCrypto debug output so i've > attached it > > > 2013/9/26 Brian Carlstrom <b...@google.com> > >> What arguments are being passed to getClientAliases for the keyType >> and issuers? If your server is sending issuers that don't include the >> issuer of the certs in your KeyStore, you will get null. If keyType is >> null, it also return null. >> >> Looking at the history of the code, it changed in 3.0 to support >> elliptic curve. I also added tests at this time to try and make sure >> we match the reference implementation. The SSLSocket implementation >> changed a lot in 2.3, so 2.x too vague to know if it is due to >> potential changes to how the SSLSocket calls the key manager. >> >> -bri >> >> On Wed, Sep 25, 2013 at 3:18 AM, Olexandr Tereshchuk <riv...@gmail.com> >> wrote: >> > I faced the problem described here at first >> > >> http://stackoverflow.com/questions/18824733/sslcontext-and-pkcs12-keystore-works-on-jvm-but-not-on-android >> > >> > But then i've found that connection fails only on 4.x (3.x possibly too >> but >> > not tested) so lately i created a simple wrapper around X509KeyManager >> class >> > and the result is that i always get null from getClientAliases and >> therefore >> > from chooseClientAlias methods and no private key returned(no alias - no >> > key) >> > >> > Have anyone faced same problems ? I believe that new version of >> > X509KeyManager behaves properly but i can't understand why there is so >> > difference in behavior among JVM + Android 2.* and Android 4.* >> > >> > **P.S.** There similar problems, i think, guys have here >> > >> https://groups.google.com/forum/#!topic/android-security-discuss/Qhoy401dsRI >> > or >> > >> http://stackoverflow.com/questions/8776952/ssl-client-authentication-broken-in-android-4-0 >> > but it hard to say what was the working solution of their problem. The >> > quickest solution i've found is just to return hardcoded alias in >> > chooseClientAlias but it's kinda lame :) >> > >> > **P.S.2** There are tons(!), literally tons of articles how to trust >> > self-signed certificate but only a few about keystores... guys c'mon. I >> wish >> > DevBytes come up another day with some SSL\Encryption talk instead of >> > another animation thing... :) >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Android Security Discussions" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to android-security-discuss+unsubscr...@googlegroups.com. >> > To post to this group, send email to >> > android-security-discuss@googlegroups.com. >> > Visit this group at >> http://groups.google.com/group/android-security-discuss. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-security-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to > android-security-discuss@googlegroups.com. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. > -- Kenny Root -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
