Wrong signature algorithms are sent in extension

Discussion:

Wrong signature algorithms are sent in extension

Michael Thelen

2014-09-10 08:57:46 UTC

Hi all,

I am using the BC TLS implementation to be able to use the ciphersuite
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 with Android. Adjusting the
ciphersuite worked fine, which I could see in the log of the server. Still
I cannot connect because I always get the error message in the TLS
handshake: Ignoring alias testserver: signature does not conform to
negotiated signature algorithms. I compared the results with a connect of
openssl s_client and the differences are indeed the offered signature
algorithms in the extension. So I followed the source code in BC and found,
that if I use the above ciphersuite, everything should be adjusted
accordingly in a default manner. Unfortunately, it does not work. So I even
tried so set it explicitly. Please see code below.

Android Version 4.4.2
The signature algorithms still sent are: SHA512withRSA, SHA384withRSA,
SHA256withRSA, SHA224withRSA, SHA1withRSA, SHA1withDSA
and I think I need something like: SHA256withECDSA

So am I missing something here in the API usage, or is Android playing a
trick on me? Any help is appreciated.

Best regards
Mike

Security.insertProviderAt(new BouncyCastleProvider(), 1);
tlsClientProt = new TlsClientProtocol(socket.getInputStream(),
socket.getOutputStream(), new SecureRandom());
tlsClientProt.connect(new DefaultTlsClient() {
@Override
public TlsKeyExchange getKeyExchange() throws IOException {
final Vector<SignatureAndHashAlgorithm> sigHashAlgorithm = new
Vector<SignatureAndHashAlgorithm>(1);
sigHashAlgorithm.add(new
SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa));
TlsKeyExchange keyExchange = new
TlsECDHKeyExchange(KeyExchangeAlgorithm.ECDH_ECDSA, sigHashAlgorithm, null,
null, null);
return keyExchange;
}
@Override
public int[] getCipherSuites() {
if(enabledCiphers != null) {
if(enabledCiphers.length >= 1) {
// set to TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
return enabledCiphers;
}
}
return super.getCipherSuites();
}
@Override
public ProtocolVersion getClientVersion() {
return ProtocolVersion.TLSv12;
}
@Override
public ProtocolVersion getMinimumVersion() {
return ProtocolVersion.TLSv12;
}
});

Michael Thelen

2014-09-10 10:46:53 UTC

Solved by reading the source code of AbstractTlsClient.java.

Best regards
Mike

Am 10. September 2014 10:58:14 schrieb Michael Thelen

Post by Michael Thelen
Hi all,
I am using the BC TLS implementation to be able to use the ciphersuite
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 with Android. Adjusting the
ciphersuite worked fine, which I could see in the log of the server. Still
I cannot connect because I always get the error message in the TLS
handshake: Ignoring alias testserver: signature does not conform to
negotiated signature algorithms. I compared the results with a connect of
openssl s_client and the differences are indeed the offered signature
algorithms in the extension. So I followed the source code in BC and found,
that if I use the above ciphersuite, everything should be adjusted
accordingly in a default manner. Unfortunately, it does not work. So I even
tried so set it explicitly. Please see code below.
Android Version 4.4.2
The signature algorithms still sent are: SHA512withRSA, SHA384withRSA,
SHA256withRSA, SHA224withRSA, SHA1withRSA, SHA1withDSA
and I think I need something like: SHA256withECDSA
So am I missing something here in the API usage, or is Android playing a
trick on me? Any help is appreciated.
Best regards
Mike
Security.insertProviderAt(new BouncyCastleProvider(), 1);
tlsClientProt = new TlsClientProtocol(socket.getInputStream(),
socket.getOutputStream(), new SecureRandom());
tlsClientProt.connect(new DefaultTlsClient() {
@Override
public TlsKeyExchange getKeyExchange() throws IOException {
final Vector<SignatureAndHashAlgorithm> sigHashAlgorithm = new
Vector<SignatureAndHashAlgorithm>(1);
sigHashAlgorithm.add(new
SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa));
TlsKeyExchange keyExchange = new
TlsECDHKeyExchange(KeyExchangeAlgorithm.ECDH_ECDSA, sigHashAlgorithm, null,
null, null);
return keyExchange;
}
@Override
public int[] getCipherSuites() {
if(enabledCiphers != null) {
if(enabledCiphers.length >= 1) {
// set to TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
return enabledCiphers;
}
}
return super.getCipherSuites();
}
@Override
public ProtocolVersion getClientVersion() {
return ProtocolVersion.TLSv12;
}
@Override
public ProtocolVersion getMinimumVersion() {
return ProtocolVersion.TLSv12;
}
});

Continue reading on narkive:

Search results for 'Wrong signature algorithms are sent in extension' (Questions and Answers)

Has China finally figured out how to beat the USA?

started 2007-08-04 13:43:53 UTC

Is this a form of limiting free speech?

started 2007-07-30 14:35:28 UTC

Do they have a yahoo Answers where you live?

started 2006-09-14 15:54:56 UTC

polls & surveys

who win the match for jonh and randy ortan?

started 2007-08-19 06:00:21 UTC

1 Reply
7 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

Michael Thelen 2014-09-10 08:57:46 UTC

Michael Thelen 2014-09-10 10:46:53 UTC

about - legalese

Loading...