Android Question Problems with custom SSL/cert (client-side) X509

[Magma]

Hi there...

well yesterday all worked perfect!

But today found that there is a problem somewhere... not understand where exactly...

Using my custom SSL as described here:

Use custom SSL in httpjob - is it possible...

Well, trying to use a custom pfx already converted in bks using keytool... With the help of forum until now... and some knowledge have from b4j i am at this point: my main code: #AdditionalJar: bcprov-jdk15to18-1.81 ..... Sub GetCustomSSLSocketFactory As Object Try Dim keystore...

www.b4x.com

[B4X] Client certificates with OkHttpUtils2 SSLContext-Kickstart

This is a B4A + B4J library. This code uses JavaObject to access SSLContext-Kickstart SDK (v5.0.0): https://github.com/Hakky54/sslcontext-kickstart/tree/v5.0.0 License: Apache 2. It allows configuring OkHttpUtils2 to use an external keystore and include client certificates. 'Press Ctrl + B...

www.b4x.com

[1]
All worked good - but today - wanted to run again my project and getting that:

Exception: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.

I ve checked the password from cmd line - using keytool and it is showing the cert... expiring after 10 years...
So what exactly need ?... (i ve created the jks through keytool openjdk 19... also tried with adoptium 21 the same)


[2]
at one phone working with compiled version from yesterday...
but taking this at logs:

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain, Response:

at Build config... i have this: HU2_ACCEPTALL, HU2_PUBLIC

a) The second question has to do with that... when I am using a custom ssl and client cert for connecting to it... i am calling only one time the SetSSLFactory before all httpjobs - correct?
b) But when at the same project i have also api and site with public-payed SSL - is it possible to connect at them... or need something different for those (because SetSSLFactory already running)

Actually an example (will help) of the right possition having 2-3 different type of sites... perhaps 1st with custom ssl httpjobs, 2-3 httpjobs with public/payed ssl, and 4th with custom ssl...

 

[Magma]

I am waiting from server side... Guys Created the Certificate... to answer me - if they changed something.

I will inform.

 

[Magma]

Well ... they ve sent me a pfx that include all certs: Root / Intermediate / Leaf... so not need to import something with keystores...

So i just converting it...

keytool -importkeystore -srckeystore lic.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype pkcs12

I am giving the same password for source / destination..

i am checking the jks (cretated)

keytool -list -v -keystore clientcert.jks -storetype PKCS12 -storepass mypassword

shows many certificates... and extensions

but still get the same message:

Caused by: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.

 

[Magma]

..Hmmm...


well i ve asked the person from server side... to sent me all the cer, pem files had created...

1. I ve used the full-pfx (has the same password with JKS i ve created) from Postman Desktop Agent... works

2. I am trying creating jks from pfx... same password... first time worked... but never again... tried to create for Keystore Explorer a totally new with cer, pem (saving in PCKS12 format) taking wrong password - changed password (the same)..

3. Create with java keytool the JKS (as Erel said in links attaching in first post) and then using Keystore Explorer including the pem, cer files - also tried creating alias too... wrong password...

every time pressing clean project.. but still getting wrong password ! :-(

Any idea will help..

Also I can send pfx file for checking it - if someone knows...

Thanks in advance

 

[Erel]

I've asked ChatGPT: "convert pfx to java keystore in pkcs12 format"

Answered:
keytool -importkeystore \
-srckeystore yourfile.pfx \
-srcstoretype PKCS12 \
-destkeystore keystore.p12 \
-deststoretype PKCS12

And it worked.

 

[Magma]

I've asked ChatGPT: "convert pfx to java keystore in pkcs12 format"

Answered:
keytool -importkeystore \
-srckeystore yourfile.pfx \
-srcstoretype PKCS12 \
-destkeystore keystore.p12 \
-deststoretype PKCS12

And it worked.

no need to import in P12 file root / leaf... only convert it from pfx to P12 ?

 

[Magma]

 

[Magma]

I will try to say again all my configuration...

at Build Configuration: conditional symbols: HU2_ACCEPTALL, HU2_PUBLIC
* I have self sign certificate as server and at client... but also connection at other normal ssl sites / api

At Manifest:

'This code will be applied to the manifest file during compilation.
'You do not need to modify it in most cases.
'See this link for for more information: https://www.b4x.com/forum/showthread.php?p=78136
AddManifestText(
<uses-sdk android:minSdkVersion="24" android:targetSdkVersion="34"/>
<supports-screens android:largeScreens="true"
    android:normalScreens="true"
    android:smallScreens="true"
    android:anyDensity="true"/>)
  
  
SetApplicationAttribute(android:icon, "@drawable/icon")
SetApplicationAttribute(android:label, "$LABEL$")
CreateResourceFromFile(Macro, Themes.LightTheme)
'End of default text.

CreateResourceFromFile(Macro, FirebaseAnalytics.GooglePlayBase) 'add if not already there

'******* google code scanner
AddApplicationText(
<meta-data
      android:name="com.google.mlkit.vision.DEPENDENCIES"
      android:value="barcode_ui"/>
 <activity
            android:name="com.google.mlkit.vision.codescanner.internal.GmsBarcodeScanningDelegateActivity"
            android:exported="false"
            android:screenOrientation="portrait"
           >
  </activity>
)
'*****************

'*********  ML kit **********
AddApplicationText(
 <activity
            android:name="com.google.mlkit.vision.documentscanner.internal.GmsDocumentScanningDelegateActivity"
            android:exported="false"
            android:screenOrientation="portrait"
            android:theme="@android:style/Theme.Black.NoTitleBar.Fullscreen"
             >
        </activity>
         <provider
            android:name="com.google.mlkit.common.internal.MlKitInitProvider"
            android:authorities="${applicationId}.mlkitinitprovider"
            android:exported="false"
            android:initOrder="99" />

        <service
            android:name="com.google.mlkit.common.internal.MlKitComponentDiscoveryService"
            android:directBootAware="true"
            android:exported="false"
             >
            <meta-data
                android:name="com.google.firebase.components:com.google.mlkit.common.internal.CommonComponentRegistrar"
                android:value="com.google.firebase.components.ComponentRegistrar" />
        </service>
)
'******************************

'****** text recognition *****
AddApplicationText(
 <meta-data
          android:name="com.google.mlkit.vision.DEPENDENCIES"
          android:value="ocr" />
)
'**********

'*********  ML kit + subject segmentation +  text recognition **********
AddApplicationText(
 <activity
            android:name="com.google.mlkit.vision.documentscanner.internal.GmsDocumentScanningDelegateActivity"
            android:exported="false"
            android:screenOrientation="portrait"
            android:theme="@android:style/Theme.Black.NoTitleBar.Fullscreen"
             >
        </activity>
         <provider
            android:name="com.google.mlkit.common.internal.MlKitInitProvider"
            android:authorities="${applicationId}.mlkitinitprovider"
            android:exported="false"
            android:initOrder="99" />

        <service
            android:name="com.google.mlkit.common.internal.MlKitComponentDiscoveryService"
            android:directBootAware="true"
            android:exported="false"
             >
            <meta-data
                android:name="com.google.firebase.components:com.google.mlkit.common.internal.CommonComponentRegistrar"
                android:value="com.google.firebase.components.ComponentRegistrar" />
             <meta-data
                android:name="com.google.firebase.components:com.google.mlkit.vision.segmentation.subject.internal.SubjectSegmentationRegistrar"
                android:value="com.google.firebase.components.ComponentRegistrar" />
            <meta-data
                android:name="com.google.firebase.components:com.google.mlkit.vision.text.internal.TextRegistrar"
                android:value="com.google.firebase.components.ComponentRegistrar" />
        </service>
)
'******************************

AddPermission(android.permission.REQUEST_INSTALL_PACKAGES)
AddPermission(android.permission.SCHEDULE_EXACT_ALARM)
AddPermission(android.permission.POST_NOTIFICATIONS)
AddPermission("android.permission.FOREGROUND_SERVICE")
AddPermission(android.permission.INTERNET)
AddPermission(android.permission.RECORD_AUDIO)
AddPermission(android.permission.CAMERA)
AddPermission(android.permission.READ_PHONE_STATE)
AddPermission(android.permission.ACCESS_FINE_LOCATION)
AddPermission(android.permission.ACCESS_COARSE_LOCATION)
'AddPermission(android.permission.QUERY_ALL_PACKAGES)
AddApplicationText(
  <provider
  android:name="android.support.v4.content.FileProvider"
  android:authorities="$PACKAGE$.provider"
  android:exported="false"
  android:grantUriPermissions="true">
  <meta-data
  android:name="android.support.FILE_PROVIDER_PATHS"
  android:resource="@xml/provider_paths"/>
  </provider>
)
CreateResource(xml, provider_paths,
   <files-path name="name" path="shared" />
)

AddManifestText(
<queries>
    <package android:name="com.google.android.apps.docs" />
</queries>
)

'IME
SetActivityAttribute(main, android:windowSoftInputMode, adjustResize|stateHidden)

'Receive files
AddActivityText(Main,
<intent-filter>
   <action android:name="android.intent.action.VIEW" />
   <category android:name="android.intent.category.DEFAULT" />
   <data android:mimeType="*/*" />
</intent-filter>)

'SetApplicationAttribute(android:networkSecurityConfig, @xml/network_security_config)
'
'CreateResource(xml, network_security_config.xml,
'<network-security-config>
'<base-config cleartextTrafficPermitted="true">
'    <trust-anchors>
'        <certificates src="system" />
'    </trust-anchors>
'</base-config>
'</network-security-config>
')

'SetActivityAttribute(main, android:windowSoftInputMode, adjustPan|stateHidden)

Also, I am calling only one time the SetSSLFactory in first B4Xpage:

'ssl
    Try
        SetSSLFactory(File.DirAssets, "keystore.p12", "xxxxxxxxxxxxxxxxxxxx")
    Catch
        ToastMessageShow("SSL Certification Problem!", True)
        Log("Exception: " & LastException.Message)
        Log(LastException)
    End Try

The pfx converted as @Erel said in previous post...

destination / re-enter / source password is the same all the times...

Just copying in dirassets (Files) the .p12 fle created...


and still getting the same error...

ps: Using JAVA OpenJDSK ver 19 using the link published in products / b4a

 

[Erel]

I've sent you a private message with the project.

 

[Magma]

....ΟΚ.... Found what exactly is going on (thanks to Erel)

as I understand this is not working in bluestacks 5 (android version ~7) (using for debugging)

So i understand now - is like the first time day worked... (from real device... but I understand also why not have access in other known SSL sites)

[1] My self signed ssl worked... but for android 9+ may be

[2] When I SetSSLFactory.. can't get in other SSL (public-known) API ! :-( (???) is it possible to say somehow that specific httpjobs are for setsslfactory and others public is as always ?

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this certificate chain, Response:
(ErrnoException) android.system.ErrnoException: open failed: ENOENT (No such file or directory)

* The problem is that the same time using httpjob with SetSSLFactory - the same time may be talking with other API no need that...
(timers)


So i am in 2nd question now.. anyone can help will be great..

 

[Erel]

Add this line before the "sslfactoryBuilder.RunMethod("withIdentityMaterial", Array(store, password))" line:

sslfactoryBuilder.RunMethod("withDefaultTrustMaterial", Null)

This will make it work with known servers. Hopefully it will also work with your custom server.

 

[Magma]

Add this line before the "sslfactoryBuilder.RunMethod("withIdentityMaterial", Array(store, password))" line:

sslfactoryBuilder.RunMethod("withDefaultTrustMaterial", Null)

This will make it work with known servers. Hopefully it will also work with your custom server.

Seems that works in real device...

Is SetSSLFactory for specific Android SDK... Android 7.0+ or works at android 7 real device ?


Thank you @Erel !!!!

 

[Erel]

It is based on: https://github.com/Hakky54/sslcontext-kickstart
I don't see the minimum version requirements there but I might have missed.

 

[Magma]

Hi there..

is something changed with new SDK / and new IDE update (b4a) ?

After 2 months of working (with custom certificate expires at 10 years)

got this message in Android 10 and 11 devices (12,13,14 working good)

Exception: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.
(IOException) java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.

 

[TILogistic]

I also started receiving these errors after migrating to API 35 or 36, B4A Editor 13.40. I'm investigating with other colleagues who develop mobile apps on other platforms to see if this is an SDK issue.

 

[Magma]

I also started receiving these errors after migrating to API 35 or 36, B4A Editor 13.40. I'm investigating with other colleagues who develop mobile apps on other platforms to see if this is an SDK issue.

From one point I am happy that I am not the only taking this error.
From the other side... i can't understand why... and this making the problem bigger.. Hope will be easy for our "Master of B4A"... I am not tagging him - i hope see it soon

 

[Magma]

I also started receiving these errors after migrating to API 35 or 36, B4A Editor 13.40. I'm investigating with other colleagues who develop mobile apps on other platforms to see if this is an SDK issue.

may be need to add some at SDK Manager... but what ?
Also the deb file created is 2MB SMALLER ! wow! was 7.8MB... now is 5.4MB... this is very strange

 

[Magma]

Tried to be more specific...

#AdditionalJar: bcprov-jdk18on-1.78.1
#AdditionalJar: bcpkix-jdk18on-1.78.1

not helps...

*also re-downloaded OpenJDK - that B4A supports 19.0.2
recreate with same way my p12 file - but the same
not helps...

May be need to move to a new JDK? or not...

The other strange that I am seeing... is that i am getting error... but i can send/receive data to webpage having custom SSL ????
May be is a cache problem - when cleaned by system... I will lose connection... who knows :-(


ps: I am thinking loud.