SSL client authenticatio

by mastergap » Fri, 03 Sep 2010 20:10:11 GMT

Sponsored Links
 i, i'm developing a simple app that is an android client that
communicates with a server on a ssl socket. Everything works fine,
but when i add to the ServerSocket running on my server pc the option
setNeedClientAuth the client can't particular i get
this exception on the server...
[CODE] null cert chain

The same code executed in a normal app in Java on a pc works fine!

Here i post the code of the server:

* Copyright (c) 2005 by Dr. Herong Yang
//import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class SslReverseEchoer {
public static void main(String[] args) {
//if (args.length<3) {
// System.out.println("Usage:");
// " java SslReverseEchoerRevised ksName ksPass ctPass");
//String ksName = args[0];
//char[] ksPass = args[1].toCharArray();
//char[] ctPass = args[2].toCharArray();
//System.setProperty("", "servertrust");

try {
KeyStore ks = KeyStore.getInstance("BKS");
ks.load(new FileInputStream("serverkeys2.bks"),
KeyManagerFactory kmf =
kmf.init(ks, "password".toCharArray());
//KeyStore ts = KeyStore.getInstance("BKS");
//ts.load(new FileInputStream("servertrust.bks"),
TrustManagerFactory tmf =
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
SSLServerSocket s
= (SSLServerSocket) ssf.createServerSocket(8888);
SSLSocket c = (SSLSocket) s.accept();
BufferedWriter w = new BufferedWriter(new OutputStreamWriter(
BufferedReader r = new BufferedReader(new InputStreamReader(
String m = "Welcome to SSL Reverse Echo Server."+
" Please type in some words.";
while ((m=r.readLine())!= null) {
if (m.equals(".")) break;
char[] a = m.toCharArray();
int n = a.length;
for (int i=0; i<n/2; i++) {
char t = a[i];
a[i] = a[n-1-i];
a[n-i-1] = t;
} catch (Exception e) {

SSL client authenticatio

by mastergap » Sat, 04 Sep 2010 12:02:41 GMT

 No, i didn't. I'm new on SSL programming. I say to you what i've done
exactly. I made two keystores clientkeys.bks and serverkeys with
keytool respectively with a certificate for the client and on e for
the server. After i extract certificates from keystores just created
and i have imported them respectively in two new keystores
(servertrust and clienttrust.bks) that i use as truststores. If i do
this procedure, using keystores and trustores on a java server app and
a java client app on two different computers everything is OK, but if
the client is an Andorid system (an emulator on another pc or a phone)
i get the SSLHandshakeException.


Sponsored Links

SSL client authenticatio

by Brian Carlstrom » Sat, 04 Sep 2010 18:14:08 GMT


the problem doesn't seem to be that the device does not trust the server
root (although the client code is making its own trust manager which is
presumably to trust the server cert chain, which presumably would be to
address this)

the problem is curious since it is the server complaining about the client
and the code apparently worked okay with a host client, so that is why I was
focusing on the contents of the client key store as seen in the program and
what is sent on the wire.

I think there might be some know issues on older releases abut only sending
the cert with its chain. if its signed by an intermediate it, you'd have to
workaround on the server by trusting the intermediate.



SSL client authenticatio

by Brian Carlstrom » Sat, 04 Sep 2010 18:14:08 GMT


Is the PC version using BKS or JKS keystore? Perhaps there is a problem with
the BKS file? It might be worth just iterating through the entries and
printing them out, including the certificate chain of the private key entry.

It's two days that i break my head on this thing...i hope that someone

I would use wireshark to look and see what is in the Certificate message
from the client to the server.



SSL client authenticatio

by mastergap » Sun, 05 Sep 2010 14:10:16 GMT

 Thank you. The pc version uses jks keystore, so to check if the
problem is rekative to bks keystores i will try to use bks also in the
pc version. Anyway, i didn't understand if there is a way to solve my
problem, or if you have tried to reproduce my code and you if you've
found a solution. Thanks a lot. Tomorrow i will post the logcat output
if you want, because the problem is on the client side during the
handshake, in fact if i take off the needClientAuth option the client
receives the server's certificate and i can see server identity
information on the client's output.


SSL client authenticatio

by Brian Carlstrom » Mon, 06 Sep 2010 04:39:16 GMT


I believe there is a way to solve your problem. I know
people successfully use client certificates on Android such as in the
Nitrodesk Touchdown app for exchange server authentication in Eclair and
possibly earlier. There were some bugs in early versions of Froyo. I don't
think you mentioned what version you are using.

but no, I haven't tried to reproduce anything with your code, just giving
suggestions on how to debug.



SSL client authenticatio

by mastergap » Mon, 06 Sep 2010 06:48:35 GMT

 > There were some bugs in early versions of Froyo. I don't

You're right,i'm using 2.1-update1 version. Another simple question,
us it right to create client certificates with keytool with the
"Keytool -genkey -keystore clientkeys -alias  client -storetype BKS -
provider org.bouncy... -providerpath ..."?


SSL client authenticatio

by Brian Carlstrom » Mon, 06 Sep 2010 07:00:18 GMT

 Here are some notes I had for a self signed client cert on Ubuntu for

# For device client certificate (doesn't seem to work on 64-bit):

/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -keyalg RSA -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath
/usr/share/java/bcprov.jar -storetype BKS -keystore client.bks -storepass
password -keypass password -dname 'CN=Unknown, OU=Unknown, O=Unknown,
L=Unknown, ST=Unknown, C=Unknown' && /usr/lib/jvm/java-6-openjdk/bin/keytool
-selfcert -provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /usr/share/java/bcprov.jar -storetype BKS -keystore client.bks
-storepass password -keypass password

I'm guessing you are on Windows from the "Keytool" capitalization, but the
arguments should be the same even if the path names are not.

for more serious testing I have some Java code that generates a longer test
keychain with root ca, intermediate ca, and client cert that is not
generated with the command line but instead with X509V3CertificateGenerator,
which is why I don't have an example command line for that handy. There is
some discussion of using X509V3CertificateGenerator here: +Public+Key+Certificate+and+Certification+Request+Generation



SSL client authenticatio

by mastergap » Mon, 06 Sep 2010 09:44:02 GMT

 Ok, thanks a lot! I solved my problem, I made some mistakes creating
certificates. I followed a guide on an IBM tutorial and i was deceived
by the fact that that code worked fine on a standard java client app.
I didn't run the keytool -selfcert command on the client keystore
previously made. Executing this command i generate a correct
selfsigned certificate and all works fine. When i will finish to write
my test code i will post a small step-by-step guide to work with ssl
sockets with client-server applications in android, considering that
there's nothing clear on the web about this, and many of my problems
were caused by picking fragmentary informations from different places
and joining them together. Thanks a lot again, your help was crucial
for me, thanks and thanks again.


SSL client authenticatio

by mastergap » Mon, 06 Sep 2010 15:13:49 GMT

 I made a lot of tests and i understand what is the problem: the key
encryption algorithm. It must be RSA, i made all certificates with
keytool without specifying the algorithm with the -keyalg option, and
by the default keytool uses SHA1withDSA, and on android this causes
the fact that the client can't authenticate itself, i don't know why.
Maybe it's the BKS keystore format, i don't know.
So the step-by-step guide to work with SSL socket in android is very
-the keytool -selfcert command is useless, this fact is reported also
in the keytool usage guide
-keystore and truststore properties must be declared programmatically
(information on how to do this can be found on an IBM tutorial on
custom sockets)
-the keystore on android must be in BKS format. To make it you have to
download the bouncycastle jar on the bouncycastle site and use it as a
provider in keytool:
    keytool -provider org.bouncycastle.jce.BouncyCastleProvider -
providerpath bcprov-jdk16-145.jar ..." and after the usual options of
keytool (note that, this way, you         have to launch keytool in
the same directory of bcprov-jdk16-145.jar).
-this way you can create BKS keystores using keytool (there are a lot
of guides on the web) remembering that you have to use the option -
keyalg RSA when generating certificate's keys: keytool -genkey -keyalg


SSL client authenticatio

by Brian Carlstrom » Tue, 07 Sep 2010 16:41:13 GMT


I'm not aware of any old issues with DSA certs inherently not working, but
most people use RSA.

I know in my later work that DSA's work fine with BKS.

can you give some doc to support this? I thought it was how to turn a
unsigned cert + key into a self signed cert.

-keystore and truststore properties must be declared programmatically

you can provide these via the SSLContext.init like your code showed.

I know third party tools using PKCS12 keystore format or most any KeyStore
implementation supported by Android, not just BKS. JKS is not supported.

I've make and used pkcs12 keystores with the "openssl pkcs12" command.
others using PKCS12 have used PFX files generated by Microsoft tools



SSL client authenticatio

by Chris Palmer » Tue, 07 Sep 2010 17:20:51 GMT


This sounds like a great idea! Thanks. Please post a link to your docs
when you finish. :)


SSL client authenticatio

by Brian Carlstrom » Tue, 07 Sep 2010 17:37:04 GMT

 I have a simple example of SSL client certificates in the
attachment to this issue: It was a simple 
Exchange Active Sync test, but it shows the basics of



SSL client authenticatio

by mastergap » Tue, 07 Sep 2010 20:24:45 GMT

 > > -the keytool -selfcert command is useless, this fact is reported also

I read this thing on the usage guide of keytool. man keytool in ubuntu

Yes, sorry i made a mistake. And i made some other tests on the keyalg
option generting certificate with keytool and if i don't specify this
option with RSA parameter the server authentication works but the
client authetication fails, but i didn't try specifying the -keyalg
option with parameters different from RSA, i tried just not specifying
the -keyalg option and i saw that DSA is used by default.


SSL client authenticatio

by Brian Carlstrom » Tue, 07 Sep 2010 21:06:52 GMT


I see, thanks. I ran my stuff on 10.04 and didn't notice that the docs were
installed as a man page and that it says that genkeypair "[w]raps the public
key into an X.509 v3 self-signed certificate"



Other Threads

1. Froyo - binder_alloc_buf when using RS232

Hi everyone,

I'm trouble using a RS232 port on the IGEPv2 board.

I'm successfully communicating from pc to baord and from baord to pc
using vladistan RxTx port on Android. But after a while, the board
freezes and i get this error message:

WARNING: at kernel/workqueue.c:485 flush_cpu_workqueue+0x34/0x88()

Modules linked in: omaplfb libertas pvrsrvkm sdmak lpm_omap3530
dsplinkk cmemk

[<c003b9d8>] (unwind_backtrace+0x0/0xd8) from [<c0061374>]

[<c0061374>] (warn_slowpath_common+0x48/0x60) from [<c0070208>]

[<c0070208>] (flush_cpu_workqueue+0x34/0x88) from [<c01be2e4>]

[<c01be2e4>] (tty_ldisc_release+0x20/0x68) from [<c01b9af4>]

[<c01b9af4>] (tty_release+0x3c0/0x420) from [<c00b5b00>] (__fput

[<c00b5b00>] (__fput+0x104/0x1d8) from [<c00b2c10>] (filp_close+0x6c/

[<c00b2c10>] (filp_close+0x6c/0x78) from [<c0062db8>] (put_files_struct

[<c0062db8>] (put_files_struct+0x88/0xdc) from [<c028e100>]

[<c028e100>] (binder_deferred_func+0x4e8/0x52c) from [<c0070724>]

[<c0070724>] (worker_thread+0x150/0x1c4) from [<c0073794>] (kthread

[<c0073794>] (kthread+0x78/0x80) from [<c0036ecc>] (kernel_thread_exit

---[ end trace 4796369df1c2dc82 ]---

binder: 1282: binder_alloc_buf, no vma

binder: 941:968 transaction failed 29201, size 96-0

Any help would be greatly apprecitaed :)


2. Video camera record error

Hi All,

I'm trying to use USB camera on Froyo 2.2.1 . I enabled v4l driver
support in kernel .

I took v4l camera patches from x86 and applied on Froyo.

Camera is working properly ( bit slow) and able to capture images

Problem is not able to record video. When i press record button in
video mode camera screen is

getting freezed and timer thread( recording duration timer) is keep on

One more problem is Camera/Video Camera preview frame rate is low.

Following is v4l-info of my camera :

### v4l2 device info [/dev/video0] ###
general info
        driver                  : "uvcvideo"
        card                    : "USB 2.0 Camera"
        bus_info                : "usb-0000:00:1d.7-6"
        version                 : 0.1.0
        capabilities            : 0x4000001 [VIDEO_CAPTURE,STREAMING]


        index                   : 0
        name                    : "Camera 1"
        type                    : CAMERA
        audioset                : 0
        tuner                   : 0
        std                     : 0x0 []
        status                  : 0x0 []

video capture
        index                   : 0
        type                    : VIDEO_CAPTURE
        flags                   : 0
        description             : "YUV 4:2:2 (YUYV)"
        pixelformat             : 0x56595559 [YUYV]
        type                    : VIDEO_CAPTURE
        fmt.pix.width           : 640
        fmt.pix.height          : 480
        fmt.pix.pixelformat     : 0x56595559 [YUYV]
        fmt.pix.field           : NONE
        fmt.pix.bytesperline    : 1280
        fmt.pix.sizeimage       : 262788743
        fmt.pix.colorspace      : SRGB
        fmt.pix.priv            : 0

        id                      : 9963776
        type                    : INTEGER
        name                    : "Brightness"
        minimum                 : -128
        maximum                 : 127
        step                    : 1
        default_value           : 50
        flags                   : 0
        id                      : 9963777
        type                    : INTEGER
        name                    : "Contrast"
        minimum                 : 0
        maximum                 : 100
        step                    : 1
        default_value           : 36
        flags                   : 0
        id                      : 9963778
        type                    : INTEGER
        name                    : "Saturation"
        minimum                 : 0
        maximum                 : 100
        step                    : 1
        default_value           : 30
        flags                   : 0
        id                      : 9963779
        type                    : INTEGER
        name                    : "Hue"
        minimum                 : -20
        maximum                 : 20
        step                    : 1
        default_value           : 0
        flags                   : 0

### video4linux device info [/dev/video0] ###
general info
        name                    : "USB 2.0 Camera"
        type                    : 0x1 [CAPTURE]
        channels                : 1
        audios                  : 0
        maxwidth                : 640
        maxheight               : 480
        minwidth                : 48
        minheight               : 32

        channel                 : 0
        name                    : "Camera 1"
        tuners                  : 0
        flags                   : 0x0 []
        type                    : CAMERA
        norm                    : 0

ioctl VIDIOCGTUNER: Invalid argument

ioctl VIDIOCGAUDIO: Invalid argument

        brightness              : 45746
        hue                     : 32768
        colour                  : 19661
        contrast                : 23593
        whiteness               : 0
        depth                   : 16
        palette                 : YUYV

ioctl VIDIOCGFBUF: Invalid argument

        x                       : 0
        y                       : 0
        width                   : 640
        height                  : 480
        chromakey               : 0
        flags                   : 0

Please help me in resolving this issue.



3. why google didn't buy skype ?

4. Change GPS configuration

5. Android SDK Emulator setup

6. Database corruption if I push apk again

7. Promo ZTE light tab