PKI not choosable on Android-Phone
I try to login using PKI. I use this tutorial: http://release-manager.com/rest/images/12702
On firefox this works well. On Android-Smartphone this does not work (I tried several phones Android 6-11).EDIT: Fortunately Android 7.1.1 seems to works.
This is the p12-File:
It must have something todo with the p12 key.
This is a screenshot of the kse:
This is the ASN1 Structure
SEQUENCE
{
SEQUENCE
{
TAGGED [0]:
INTEGER=2
INTEGER=512434666 (0x1e8b21ea)
SEQUENCE
{
OBJECT IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
NULL
}
SEQUENCE
{
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=CountryName (2.5.4.6)
PRINTABLE STRING='US'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=OrganizationName (2.5.4.10)
UTF8 STRING='[]'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=OrganizationalUnitName (2.5.4.11)
UTF8 STRING='[]'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=CommonName (2.5.4.3)
PRINTABLE STRING='www.e-nexus.de'
}
}
}
SEQUENCE
{
UTC TIME=10/Nov/2000 00:00:00 CET (001109230000GMT+00:00)
GENERALIZED TIME=10/Nov/2100 00:00:00.000 CET (21001109230000GMT+00:00)
}
SEQUENCE
{
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=CountryName (2.5.4.6)
PRINTABLE STRING='US'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=OrganizationName (2.5.4.10)
UTF8 STRING='[]'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=OrganizationalUnitName (2.5.4.11)
UTF8 STRING='[]'
}
}
SET
{
SEQUENCE
{
OBJECT IDENTIFIER=CommonName (2.5.4.3)
PRINTABLE STRING='Admin Example Node 1'
}
}
}
SEQUENCE
{
SEQUENCE
{
OBJECT IDENTIFIER=RsaEncryption (1.2.840.113549.1.1.1)
NULL
}
BIT STRING, encapsulates:
SEQUENCE
{
INTEGER=
00 96 2D D5 EB 60 BB 98 ..-Õë`».
71 B6 A5 62 85 08 5D FD q¶¥b..]ý
42 80 CF 89 D4 B0 1D 46 B.Ï.Ô°.F
38 36 B1 DF 29 6F 52 34 86±ß)oR4
28 D1 A7 8A 67 21 C1 C6 (ѧ.g!ÁÆ
31 77 3B D3 B5 EE A8 9E 1w;Óµî¨.
01 D4 A2 36 FC 12 88 15 .Ô¢6ü...
43 69 70 38 FC 81 B6 3D Cip8ü.¶=
DF E4 6D 09 77 F3 9B 27 ßäm.wó.'
AC 01 A3 4A 41 77 55 21 ¬.£JAwU!
B9 68 61 AA AD 50 34 F0 ¹haªP4ð
AC 62 76 3C 2E 50 6E 44 ¬bv<.PnD
55 88 C0 0E 02 0E 36 6E U.À...6n
A4 AA 5D E3 FC 7A 64 6A ¤ª]ãüzdj
ED 0A CA 1B B3 CE 31 2D í.Ê.³Î1-
2F 10 96 89 F1 5A 02 62 /...ñZ.b
8B A1 F6 1A 5F BA AE 6B .¡ö._º®k
84 CC 97 40 3B 3D F3 3C .Ì.@;=ó<
E2 AB 15 D5 16 BE 22 35 â«.Õ.¾"5
10 A4 5A 6D 0E 4D 6A 34 .¤Zm.Mj4
12 BA 01 DD 6D A5 7D B5 .º.Ým¥}µ
4E 61 59 16 92 1A 5B E9 NaY...[é
22 8D A1 CC 51 1A DA BE ".¡ÌQ.Ú¾
DC EB 6F C9 49 16 72 3F ÜëoÉI.r?
50 52 0A 65 95 BE 13 7B PR.e.¾.{
18 F1 D5 31 23 28 19 14 .ñÕ1#(..
BE 2D D3 E3 BF 90 9A 4F ¾-Óã¿..O
49 DE 92 D1 7C 3E 72 BE IÞ.Ñ|>r¾
72 52 15 F3 30 5A 69 2C rR.ó0Zi,
5B DD 1F 01 4D C1 2C 8F [Ý..MÁ,.
A1 A3 62 8A DF 73 52 39 ¡£b.ßsR9
4D 61 EA 2E 10 37 5D 87 Maê..7].
53 S
INTEGER=65537 (0x10001)
}
}
TAGGED [3]:
SEQUENCE
{
SEQUENCE
{
OBJECT IDENTIFIER=ExtKeyUsage (2.5.29.37)
BOOLEAN=true
OCTET STRING, encapsulates:
SEQUENCE
{
OBJECT IDENTIFIER=ClientAuth (1.3.6.1.5.5.7.3.2)
}
}
SEQUENCE
{
OBJECT IDENTIFIER=SubjectKeyIdentifier (2.5.29.14)
OCTET STRING, encapsulates:
OCTET STRING=
11 25 D9 96 7E E1 16 B5 .%Ù.~á.µ
28 5D D7 65 81 22 0D BF (]×e.".¿
6C E8 27 71 lè'q
}
}
}
SEQUENCE
{
OBJECT IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
NULL
}
BIT STRING=
4C 02 52 BF 5D 8D 82 F0 L.R¿]..ð
89 DB 14 4E 46 95 C6 8B .Û.NF.Æ.
01 3A AF 7B 29 C0 25 FA .:¯{)À%ú
85 7A 93 29 90 93 AA 2E .z.)..ª.
06 B6 28 F7 3B 9B 58 38 .¶(÷;.X8
7C 67 D1 E7 B2 AE 3C 75 |gÑç²®<u
74 A8 26 CC 6E 6D 79 F4 t¨&Ìnmyô
2B 73 CA 2D A1 9C 12 0E +sÊ-¡...
51 CF 6D 2E D2 86 14 E1 QÏm.Ò..á
34 96 DB E4 03 51 E6 70 4.Ûä.Qæp
04 2D 9F 1C C3 06 78 98 .-..Ã.x.
7D AA 96 4D B0 6D BA A1 }ª.M°mº¡
4A 92 AD 3A FA 9A D4 98 J.:ú.Ô.
9A 57 2A CF 9D 58 C4 20 .W*Ï.XÄ
BE C6 E7 F6 63 B4 A0 E2 ¾Æçöc´ â
8D B6 1C 96 BA 0A C8 D2 .¶..º.ÈÒ
C6 E2 BC 9C 38 1F 44 31 Æâ¼.8.D1
1F 72 47 D0 FE EA 89 00 .rGÐþê..
45 2F C7 4E 2B 14 88 3D E/ÇN+..=
64 0D 8F 57 81 C5 6F DD d..W.ÅoÝ
90 24 0E 9B 18 6D D4 E2 .$...mÔâ
BE 30 B9 A8 E7 E8 0F E6 ¾0¹¨çè.æ
1A B8 22 57 92 5A 08 0F .¸"W.Z..
D7 56 85 E7 89 3E 46 C6 ×V.ç.>FÆ
0E 60 C3 CB 12 1D EE D3 .`ÃË..îÓ
90 88 BF 8E 79 AF 04 51 ..¿.y¯.Q
67 49 FA 6B 14 32 D8 2D gIúk.2Ø-
CB 88 80 A7 40 36 04 4D Ë..§@6.M
77 90 2A 54 50 C9 EB 83 w.*TPÉë.
DA 19 56 B4 C8 09 97 C0 Ú.V´È..À
A3 0E 7D 1D AC 6B 86 CF £.}.¬k.Ï
5E 80 60 10 5F 32 F0 68 ^.`._2ðh
}
Solution
I think this is related to this Android 10 behaviour change : certificates are now filtered according to the criteria sent by the server.
In your case the server requires a certificate issued by Admin Example Node 1 (or at least pretends to) :
openssl s_client -crlf -connect node1.sandbox.release-manager.com:443 -servername node1.sandbox.release-manager.com
...
Acceptable client certificate CA names
C = US, O = [], OU = [], CN = Admin Example Node 1
...
(Please note that the O and OU are not empty, they contain the string [] and the CA fields must match)
But your certificate is issued by www.e-nexus.de :
keytool -v -list -storetype PKCS12 -keystore Admin_Example_Node_1_210420063319.p12
...
Alias name: admin example node 1
Creation date: Apr 19, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Admin Example Node 1, OU=[], O=[], C=US
Issuer: CN=www.e-nexus.de, OU=[], O=[], C=US
I created a CA named CN =Admin Example Node 1, C = US, O = [], OU = [] and used it to issue a certificate :
Alias name: 1
Creation date: Jul 25, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=hello2, OU=[], O=[], C=US
Issuer: CN=Admin Example Node 1, OU=[], O=[], C=US
Edit : I tested 3 certificates :
- yours
- a certificate issued by a CA named
CN=Admin Example Node 1, OU=[], O=[], C=US - a certificate issued by a CA named
CN=Admin Example Node 1, C=US
On :
- Android 7.1 (Honeywell CT60)
- Android 8.0 (Samsung A3 2017)
- Andoid 9 (Datalogic)
- Android 10 (Honeywell CT40)
- Android 12 beta3 (Pixel 3a)
With the results :
- On devices pre Android 10, Chrome offered the 3 certificates
- On Android 10+ the popup showed only the certificate matching the server specifications (issued by
CN=Admin Example Node 1, OU=[], O=[], C=US)
So the solution would be to change either the CA name or the specification sent by the server.
- Capacitor on Android fails with error: "ERR_SDK_PACKAGE_NOT_FOUND: SDK package not found by location: D:\Android_SDK_HOME\platform-tools."
- Flutter App Cant Authenticate to Google Drive API Using google_sign_in Package
- Spinner in Full Screen android app is showing status bar
- Android SDK not found for react-native
- Android: .nomedia is ignored, images still appear on the gallery
- BuildConfig not getting created correctly (Gradle Android)
- Androidx : How to test Slider in UI tests (Espresso)?
- RequiresApi vs TargetApi android annotations
- React Native, Execution failed for task ':app:mergeDexDebug'
- Request for permission (Pop - up) dialog is not showing in Android
- Reset mutableStateOf if the initial value changes - Jetpack Compose
- How to use a custom typeface in a widget?
- How NOT to create projects with Jetpack Compose using Android Studio
- Customize android app preview when it is in background with secure flag
- Viewmodels in android using mvvm and jetpackcompose
- text and icon parameters in a Tab don't allow composable invocations
- Channel vs Shared Flow what is the difference
- Android Jetpack Compose Room query depending on Flow
- Jetpack Compose how to recompose when internal state changes
- How to fix this Hilt gradle setup?
- How to use ThreeTenABP in Android Project
- Unable to load class Plugin
- How can I add .so files to an android library project using gradle 0.7+
- How to get context for Room database and initialize it correctly in Android Compose?
- How to show/hide password in TextFormField?
- How to pass List of data from NavGraph in android kotlin Android
- Firebase analytics AppMeasurement not enabled
- Why WebView doesn't render raw HTML properly?
- ':google_sign_in_android:compileDebugJavaWithJavac'
- Play Media using URL in Android using Media