Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Signature verification problems for ecdsa-with-SHA384 on Android 6

Tags:

java

x509certificate

android-6.0-marshmallow

verify

I've problems verifying a certificate which is signed with ECDSA with SHA384 on Android 6.0 and up. However, it is working for Android 4.1 - 5.1. I tracked it down to an error in the Certificate class. An exception is thrown in the verify method: 

java.lang.RuntimeException: error:0f092074:elliptic curve routines:ec_asn1_pkparameters2group:NON_NAMED_CURVE

Any idea why this is happening with Android 6.0 and how it can be fixed? I already tested it with Spongycastle as a security provider, but the verify function always throws that exception.

Thanks & Regards

like image 929
Romanski Avatar asked Jun 07 '16 11:06

Romanski

1 Answers

Finally found the issue - not the verification of the signature itself was the problem, but loading of the intermediate certificate which holds the ec public key. 

    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
        Unable to load Public Key
2536673920:error:0f092074:elliptic curve routines:ec_asn1_pkparameters2group:NON_NAMED_CURVE:external/boringssl/src/crypto/ec/ec_asn1.c:225:
2536673920:error:0f07f076:elliptic curve routines:d2i_ECPKParameters:PKPARAMETERS2GROUP_FAILURE:external/boringssl/src/crypto/ec/ec_asn1.c:253:
2536673920:error:0f08000f:elliptic curve routines:d2i_ECParameters:elliptic curve routines:external/boringssl/src/crypto/ec/ec_asn1.c:503:
2536673920:error:0608808f:public key routines:eckey_type2param:DECODE_ERROR:external/boringssl/src/crypto/evp/p_ec_asn1.c:140:
2536673920:error:0608600f:public key routines:eckey_pub_decode:elliptic curve routines:external/boringssl/src/crypto/evp/p_ec_asn1.c:180:
2536673920:error:0b07c07c:X.509 certificate routines:X509_PUBKEY_get:PUBLIC_KEY_DECODE_ERROR:external/boringssl/src/crypto/x509/x_pubkey.c:168:

This leads to the question - why does BoringSSL have problems decoding the public key in this certificate? And I guess this has to be a bug in BoringSSL. I checked the certificate with OpenSSL and had no problems there.

When the Spongycastle Provider is explicitly used when loading the intermediate certificate and later verifying the signature of the document signing certificate, everything works fine.

like image 103
Romanski Avatar answered Sep 30 '22 05:09

Romanski
Sign in to Comment

Related questions

How to get timezone from timezone offset in java?
Android DateFormat for AM/PM differs between devices
android.content.pm.PackageManager$NameNotFoundException: when using 2 product flavors?
Poor performance due to Java garbage collector ? Need suggestions
Generic Parameter Type and Return Type in Java
JavaFX : How to pass value from background thread to JavaFX UI thread with Task
Increment an int using threads
A program that counts the letters in string in Java
What is the conventional Java exception for "Too Many Results"
What is threshold limit number of threads that a JVM can create
Where JVM keeps information about reference and object types
Unable to start tomcat 7: Caused by: java.lang.NoClassDefFoundError
object kafka is not a member of package org.apache
Lucene - string field which doesn't need to be indexed
Java: save grayscale int array to image
Lamba are allowed at source level only 1.8 or above
How to search within an Selenium WebElement? [duplicate]
How to stop netty bootstrap from listening and accepting new connetions
Getting error in Android Studio 2.1 with java 8
How do I make Java & Postgres enums work together for update?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!