Android 7 Smack 4.1.8 "Failed to load certificate from Keystore"

Mike94 · February 1, 2017, 6:56am

Hi,

our App works fine with Smack on Android 4+, for a long time now.

Recent tests for our App with Android 7.1 resulted in “the app no longer works”.

We receive this error on A7 devices when trying to connect with Smack to our XMPP Server:

javax.net.ssl.SSLHandshakeException: java.lang.RuntimeException: Failed to load certificates from KeyStore

org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets()#1029

org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300()#956

org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run()#971

java.lang.Thread.run()#762

Do you have any hints for me, how to solve this?

Thanks in advance, Mike

Adekunle_Valentine_O · February 1, 2017, 7:56am

This seems to be a server side issue…
are you sure your certificate is still valid. Try connecting with securitymode disabled

Mike94 · February 1, 2017, 8:08am

Thanks for your reply,

it is definitely not a server-side issue, as the same build runs fine on Android 4.x up to 6.x

Only in A7 and above this crashes.

Here is a question on another product where a user had the same issue with A7 and the author of the product fixed in his library:

Certificate issue with new Android N beta · Issue #274 · sandsmark/QuasselDroid · GitHub

stackoverflow shows similar problems:

ssl - Need help debugging SSLHandshakeException in Android Nougat - Stack Overflow

There is something to do (most likely on smack side) for a correct ssl handshake in Android 7 and above.

Flow · February 1, 2017, 8:35am

Show us the full stacktrace including the stacktrace of all wrapped exceptions.

ssl - Need help debugging SSLHandshakeException in Android Nougat - Stack Overflow

That is totally unrelated.

Mike94 · February 1, 2017, 9:48am

Yes, that SO article is unrelated to this specific problem, I just wanted to show, that there are changes in Android 7 regarding certificates. Problems arise in A7 with many libraries at the moment.

At the moment of the crash, this is the full stacktrace.

java.lang.Thread.run()#762 is a line in the app that does this call:

getConnection().connect();

where getConnection() has this code:

configuration = XMPPTCPConnectionConfiguration.builder()

.setUsernameAndPassword(username, password)

.setServiceName(server)

.setHost(server)

.setPort(port)

.setConnectTimeout(connectTimeoutMillis)

.setDebuggerEnabled(debuggerEnabled)

.setResource(xmppResource)

.setSecurityMode(ConnectionConfiguration.SecurityMode.required)

.setCustomSSLContext(createContext())

.build();

return new XMPPTCPConnection(configuration);

This call involves a call to createContext() — Maybe the problem is in this method, as this is the keystore related part that seems to make problems in A7

KeyStore trustStore;

try {

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH) {

trustStore = KeyStore.getInstance(“AndroidCAStore”);

} else {

trustStore = KeyStore.getInstance(“BKS”);

}

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

trustManagerFactory.init(trustStore);

SSLContext sslContext = SSLContext.getInstance(“TLS”);

sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());

return sslContext;

}

catch (Exception e){

Uclog.error(“Error creating SSL-context”,e);

return null;

}

In the logs the “Error creating SSL-context” does not appear, so at least this method does not fail. That’s all I know at the moment. It works fine until (and including) A6.

Thanks for your comments so far!

Flow · February 1, 2017, 10:29am

You still didn’t show a full stacktrace which includes all the wrapped exceptions. Also your createContext() and the according call of setCustomContext() appears to be as if you could simply remove it and would achieve the same goal.

Mike94 · February 1, 2017, 10:34am

Sorry, can you explain what you mean with “wrapped exceptions” (not native english here) - I do a e.printStacktrace and what I posted initially is the full stacktrace - there is not more.

Flow · February 1, 2017, 10:53am

javax.net.ssl.SSLHandshakeException: java.lang.RuntimeException: Failed to load certificates from KeyStore

org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets()#1029

There are (at least) three exception wrapped into each other. The innermost is the RuntimeException, which is wrapped into a SSLHandshakeException, which is wrapped at line 1029 of XMPPTCPConnection into a SmackException. The SmackException is propagated by the SyncPoint to the call stack of the thread invoking connect(). The stacktrace of the innermost exception is of particular interest. Possible that Android’s printStackTrace() does not a full walk of the wrapped exception (but IIRC it does). But even if not, simply attach an debugger.

I still wonder if it simply wouldn’t work if you omit the call to setCustomSSLContext(). What are you trying to achieve with the custom SSLContext anway?

Mike94 · February 1, 2017, 12:00pm

Flow, thank you SO much!

By pointing out again and again you directed me the right path along this way.

I just removed the customContext and everything works.

To complete this thread, here is the full exception with all the inner exceptions, where the bold lines showed me the problem.

Connection closed with error

javax.net.ssl.SSLHandshakeException: java.lang.RuntimeException: Failed to load certificates from KeyStore

at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.ja va:361)

at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl. java:682)

at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.ja va:644)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnect ion.java:659)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnecti on.java:766)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1000(XMPPTCPConnection.java :140)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPC onnection.java:1022)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPCon nection.java:956)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnecti on.java:971)

at java.lang.Thread.run(Thread.java:761)

Caused by: java.security.cert.CertificateException: java.lang.RuntimeException: Failed to load certificates from KeyStore

at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocke tImpl.java:617)

at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)

at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.ja va:357)