android: Error while connecting with TLS certificates

I’m trying to connect to the server with the self-signed TLS client certificates (created with generate-CA.sh), but I’m having some issues.

2022-06-05 22:51:15.979 D MessageProcessor: message:TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key, 
2022-06-05 22:51:15.980 D BackgroundService: endpoint state changed Error. Message: TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
	at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
	at java.security.KeyStore.load(KeyStore.java:1484)
	at org.owntracks.android.support.SocketFactory.<init>(SourceFile:304)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:186)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:177)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.sendMessage(SourceFile:30)
	at org.owntracks.android.services.MessageProcessor.lambda$sendAvailableMessages$0(Unknown Source:2)
	at org.owntracks.android.services.MessageProcessor.$r8$lambda$bVYaIhYhXtJCzBaSxWOGtcUu6f8(Unknown Source:0)
	at org.owntracks.android.services.MessageProcessor$$ExternalSyntheticLambda1.call(Unknown Source:4)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loopOnce(Looper.java:226)
	at android.os.Looper.loop(Looper.java:313)
	at android.os.HandlerThread.run(HandlerThread.java:67)

Here’s what I’ve tried so far:

Turn off TLS and verify that the recorder config is correctly set up
Used mosquitto_pub and mosquitto_sub to verify that certs generated with generate-CA.sh are working fine
Reinstall the app
Tried with new users/certs
Verified that I’m using the same CA for the server/client cert.

…but no luck so far. Not sure what’s wrong, but my only guess is that either openssl is generating incorrect .p12 file or the OS/app somehow can’t find the API required to open PKCS12 file.

Here are some additional information that can help the debugging process:

I’ve used the following command to create .p12 file from the existing crt/key file. openssl pkcs12 -export -in name.crt -inkey name.key -name "name-cert" -out name.p12
When I tried to add name.p12 file in the system settings, it did not accept the password I put in. It’s a very simple password and I’ve verified it multiple times. Perhaps this is somehow related?

App build number: 2.4.8, 20408019
Android version: 12
Device: Galaxy S21 Ultra
Installation source: Google play

Thanks for all the help!

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 41

Commits related to this issue

Use a proper, recent version of BouncyCastle (#1315) #1225 raised an issue where there's some certificate oddness on certain devices under certain circumstances. It seems like the version of Bouncy... — committed to owntracks/android by growse 2 years ago
Tweak proguard rules to expand bouncycastle to be able to parse pkcs12 Hopefully fixes #1225 — committed to owntracks/android by growse 2 years ago

Most upvoted comments

@growse Hi, thanks a lot, the last build did fixed the issue, I could finally connect to my broker 😃 Thank you very much for not giving up!

corus87 on Dec 21, 2022

Tried by building a new p12 (openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile ca.crt) with a simple password, but got the same initial error as I had

lerra on Nov 3, 2022

Alright, big thanks again for helping out, i really appreciate it and sent a donation.

On Sun, Nov 6, 2022, 21:16 Andrew Rowson @.***> wrote:

Great to hear, I’ll get that BC vendor change merged for the next release.

For sponsorships, we use liberapay.com/owntracks.org

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1304884769, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFT2KYP6ACMERK5N3YLWHAG2RANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

lerra on Nov 6, 2022

Confirmed, screenshot of the apk you sent in working state with client certificate and then i exported and imported the config to the lastest version from Google play and it does not work 😃

Big thanks for the great support!

Latest version in google play:

The apk you uploaded yesterday: Screenshot_2022-11-04-20-03-30-59_9951077289cab6671e6adf4f98f78cdd.jpg

Btw, any plans to enable github sponsors on the repo ?

lerra on Nov 4, 2022

Give me the weekend to confirm 😃

On Thu, Nov 3, 2022, 22:58 Andrew Rowson @.***> wrote:

That’s encouraging. So maybe we do just need to vendor BC?

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1302721509, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFQS3GP6TFMWJ27YAWLWGQYQNANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

lerra on Nov 4, 2022