Android - SSL/TLS and ECC (Elliptic curve cryptography)

匿名 (未验证) 提交于 2019-12-03 07:50:05

问题:

I'm developing an android application which communicates with a web server. We use HTTPS for this communication and we have also a client certificate inside the android application for authentication.

We created SSL certificates using ECC (ANSI x9.62) in order to have very small certificates so we can reduce the transmission cost during handshake.

The source code for the communication is more or less like this:

InputStream keystoreIs = getResources().openRawResource(R.raw.client_bks); KeyStore keystore = KeyStore.getInstance("BKS"); keystore.load(keystoreIs, KEYSTORE_PASSWORD);  SSLSocketFactory socketFactory = new SSLSocketFactory(keystore, KEYSTORE_PASSWORD,  keystore); Scheme serverScheme = new Scheme("https", socketFactory, SERVER_PORT); HttpClient httpclient = new DefaultHttpClient(); httpclient.getConnectionManager().getSchemeRegistry().register(iServerScheme); HttpPost httppost = new HttpPost(SERVER_URL); HttpResponse response = httpclient.execute(httppost); 

The problem is that when we try to connect we have errors like:

E/NativeCrypto(4744): Unknown error 5 during connect W/System.err(4744): java.io.IOException: SSL handshake failure: I/O error during system call, Connection reset by peer W/System.err(4744):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeconnect(Native Method) W/System.err(4744):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:316) W/System.err(4744):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:520) W/System.err(4744):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:461) W/System.err(4744):     at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:93) W/System.err(4744):     at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83) W/System.err(4744):     at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170) W/System.err(4744):     at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106) W/System.err(4744):     at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129) (...) 

I trid to find an example with ECC and SSL but I didn't found anything. I found several articles about encryption and key pair generation (for example http://nelenkov.blogspot.com/2011/12/using-ecdh-on-android.html#!/2011/12/using-ecdh-on-android.html) but nothing related to this SSL kind of errors.

We will appreciate any feedback. Thank you in advance!!

回答1:

Default Android 7.0 SSLSocketFactory doesn't support all of the elliptic curves known to OpenSSL/BoringSSL. The handshake only lists secp256r1 in the supported_curves in the Client Hello.

The SSLEngine documentation doesn't even mention supported curves.

If the server can't agree to use that curve, it will close the connection and the handshake fails on the client side with the I/O error shown.

Chrome on android however supports 3 common curves, secp256r1, secp384r1, and x25519.

EDIT

I should add the signature hash algorithm support extension does include ECDSA with SHA1 through SHA512, so it should be fine to use an ECDSA certificate on the server side.



标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!