Wrong version of keystore on android call
Solution 1
Have a Look on it Android: Trusting SSL certificates
-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar
And use this version when creating your keystore: Version 1.46 found here
May it Helps...
Solution 2
You need to change the type of the keystore, from BKS to BKS-v1 (BKS-v1 is an older version of BKS). Because the BKS version changed as said here
There is another solution, that is much much easier:
- Using Portecle:
- Downloads Portecle http://portecle.sourceforge.net/
- Open your bks file with the password and portecle
- Do Tools>>Change Keystore Type>>BKS-v1
- Save the file
- You may use KeyStore Explorer
The new file will be encoded with BKS-v1 and will not show the error anymore. To change the KeyStore type, open KeyStore Explorer and go to Tools -> Change KeyStore Type
and then save the file.
Note:
Android works with different BKS versions: for instance, API 15 will require BKS-1 contrary to API 23 which requires BKS, so you may need to put both files in your app.
You can use this code to switch between them depending on the API level:
int bks_version;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
bks_version = R.raw.publickey; //The BKS file
} else {
bks_version = R.raw.publickey_v1; //The BKS (v-1) file
}
KeyStore ks = KeyStore.getInstance("BKS");
InputStream in = getResources().openRawResource(bks_version);
ks.load(in, "mypass".toCharArray());
Solution 3
Finally i used a graphic editor (KeyStore Explorer) under Windows and it's working.
Maybe the error was caused by Java/Mac version problems
Solution 4
Solution is Here , able to remove the version prolem
Creating BKS file for android client
Software installation details required to create BKS file:
Download Keystore Explorer software from link http://keystore-explorer.sourceforge.net/
Download UnlimitedJCEPolicyJDK7 from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Extract zip and copy US_export_policy and local_policy to your C:/programes file/java/jre7/lib/security folder.
install Keystore Explorer software.
Steps to Generate BKS file: (Need CA file , Certificate file , Key File and .P12 i.e.PKCS file(if available).
1) Creating Trust file using CA .crt file using keystore software.
Steps:
Open software
Go File->New->select .BKS from the wizard
To import CA certificate file Go Tool->Import trusted certificate ->select CA .crt file -> entert password->(It will throwa an exception if certificate is self sign) import file forcefully.
4.Save file with .bks extension.
2) Creating Key file using .P12 file using keystore software
Steps
Open software Go File->New->select .BKS from the wizard
Import >p12 file Go Tool -> Import key pair -> select PKCS #12 from wizard - >enter decription password for file and brows file -> Enter alise name(if want to change else can keep as it is) ->Enter new password
Save file with .bks extension.
3) Creating Key file using if .P12 is not available file using keystore software
Steps
Open software
Go File->New->select .BKS from the wizard Import >p12 file Go Tool -> Import key pair -> select OpenSSL from wizard - >unchecked decription password for file ,brows .key and .crt (Certificate file not CA) file -> Enter alise name(if want to change else can keep as it is) ->Enter new password
Save file with .bks extension.
Copy both file in res/raw folder(Both BKS file are compulsarry).
Code:
static final String ENABLED_CIPHERS[] = {
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
};
// put this in a place where it can be reused
static final String ENABLED_PROTOCOLS[] = {
"TLSv1.2", "TLSv1.1", "TLSv1"
};
private void sslCon()
{
try {
// setup truststore to provide trust for the server certificate
// load truststore certificate
InputStream trustStoresIs = getResources().openRawResource(R.raw.client_ca);
String trustStoreType = KeyStore.getDefaultType();
KeyStore trustStore = KeyStore.getInstance(trustStoreType);
trustStore.load(trustStoresIs, "spsoft_123".toCharArray());
//keyStore.setCertificateEntry("ca", ca);
// initialize trust manager factory with the read truststore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(trustStore);
// setup client certificate
// load client certificate
InputStream keyStoreStream = getResources().openRawResource(R.raw.client_cert_key);
KeyStore keyStore = null;
keyStore = KeyStore.getInstance("BKS");
keyStore.load(keyStoreStream, "your password".toCharArray());
KeyManagerFactory keyManagerFactory = null;
keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "your password".toCharArray());
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("SSL");
context.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocketFactory sslsocketfactory = (SSLSocketFactory)context.getSocketFactory();
InetAddress serverAddr = InetAddress.getByName("192.168.11.104");
sslSocket = (SSLSocket) sslsocketfactory.createSocket(serverAddr, 5212);
//String[] ciphers = sslSocket.getEnabledCipherSuites();
sslSocket.setEnabledCipherSuites(ENABLED_CIPHERS);
// put this right before setEnabledCipherSuites()!
//sslSocket.setEnabledProtocols(ENABLED_PROTOCOLS);
//InputStream inputStream = sslSocket.getInputStream();
OutputStream out = sslSocket.getOutputStream();
Toast.makeText(getApplicationContext(), "Connected", Toast.LENGTH_SHORT).show();
sslSocket.close();
} catch (KeyManagementException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
Solution 5
I'm posting this answer to provide a cmdline-version for converting a .pkcs12
File to keystore.bks
What is needed:
- Portecle - download it from https://sourceforge.net/projects/portecle/
If you don't know how to generate a .PKCS12
-File check out these sites:
- http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
- https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
For this Sample I use jetty.pkcs12
as source.
The command generates: keystore.bks
/usr/local/share/java/portecle-1.9/ is the path where I've installed the downloaded Portecle-Tool (.ZIP)
keytool -importkeystore -srckeystore jetty.pkcs12 \
-srcstoretype PKCS12 -deststoretype BKS -providerpath \
/usr/local/share/java/portecle-1.9/bcprov.jar -provider \
org.bouncycastle.jce.provider.BouncyCastleProvider-destkeystore \
keystore.bks
Now you can use the BKS-Keystore under Android
Thanks to the prev posting I was able find a solution and to provide this cmd. Hope it helps someone!
JuSchz
I'm a Android & Front-end web developer. Technologies and libraries I'm using : Android Dev : Android Studio / GenyMotion / Gradle Front : Javascript & Html 5 & Css 3 Javascript libs and framework : YUI, jQuery, Handlebars, Ember Versioning : Git Css Pre-processor : Sass Core : Php & Java Android libs : Nutiteq, MuPdf, Picasso, Retrofit, RxJava Database : Mysql, PgSql and Sqlite
Updated on August 06, 2020Comments
-
JuSchz almost 4 years
I want to make a https request.
I use bouncycastle to generate the keystore like this :
keytool -importcert -trustcacerts -alias ludevCA -file lu_dev_cert.crt -keypass mypass -keystore keystore.bks -storepass mypass -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk15on-146.jar
And the keylist command return a correct value.
But when i do :
KeyStore ks = KeyStore.getInstance("BKS"); InputStream in = getResources().openRawResource(R.raw.keystore); ks.load(in, "mypass".toCharArray());
i have a error :
wrong version of keystore
I tried to use several version of bouncycast, but the result is the same. I also tried to define keysize 1024, but nothing change.
Any ideas ?
-
JuSchz almost 12 yearsThat's exactly what i've done ( and I execute again the tutorial) but the result still the same.
-
Marcin Orlowski almost 12 years@julesanchez: you HAVE TO use bcprov-jdk16-146.jar. Latest v147 will cause said problems
-
Fer over 8 years@MarcinOrlowski Does it mean that we are depended on bouncycastle jar? isnt there any standard method that we can use on android, java, .net and others? I am alittle confused about it.
-
Singagirl over 8 yearsI can confirm that 1.46 produces right format BKS, and any newer versions are not accepted by Android. My version is 4.2, maybe you need newer android to accept newer version of BKS? Who knows?
-
Fonix over 8 yearsseemed to fix an issue i was having for a 4.0.4 device, but devices with 4.1.1/2 are still having the same issue
-
Simon over 8 yearsDon't know why but when I tried to change it with Portecle, it just kept on disallowing me to change the keystore because it says unrecoverablekeyexception. But then I tried it out with Windows and Keystore Explorer and changed the keystore type from there and it worked like a charm. +1
-
L3K0V over 8 yearsWorkaround for 4.1.1/2:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) { ... }
-
Cukic0d about 8 yearsInstead of using an old boucycastle version, you should use an old certificate version.