java.io.IOException: stream does not represent a PKCS12 key store

3k views Asked by At

I am trying to apply certificate pinning in android from internal storage of the application. I have a certificate with .pfx file extension. It works fine when I try to read the file from bundle raw folder but when I try to read it from internal storage then it gives me an exception that is:

java.io.IOException: stream does not represent a PKCS12 key store

Method I am using is:

fun generateSecureOkHttpClient(): OkHttpClient {
    var httpClientBuilder = OkHttpClient.Builder();

    try {

    // Create a simple builder for our http client, this is only por example purposes


    // Here you may wanna add some headers or custom setting for your builder

    // Get the file of our certificate
    var certFile = File(FilePath.getSSLCertificatePath()+"/sslCertificate.pfx");
    var caFileInputStream : InputStream = FileInputStream(certFile);


    //        var caFileInputStream = JobLogicApp.getContext().resources.openRawResource(R.raw.sslcert)

    //        val cert = ByteArray(certFile.length().toInt())
    //        caFileInputStream.read(cert)
    //        val targetStream: InputStream = ByteArrayInputStream(cert)

    // We're going to put our certificates in a Keystore
    val keyStore = KeyStore.getInstance("PKCS12")
    keyStore.load(caFileInputStream, "password".toCharArray())

    // Create a KeyManagerFactory with our specific algorithm our our public keys
    // Most of the cases is gonna be "X509"
    val keyManagerFactory = KeyManagerFactory.getInstance("X509")
    keyManagerFactory.init(keyStore, "password".toCharArray())

    val trustManagerFactory: TrustManagerFactory = TrustManagerFactory.getInstance(
        TrustManagerFactory.getDefaultAlgorithm()
    )
    trustManagerFactory.init(null as KeyStore?)
    val trustManagers: Array<TrustManager> = trustManagerFactory.getTrustManagers()
    check(!(trustManagers.size != 1 || trustManagers[0] !is X509TrustManager)) {
        ("Unexpected default trust managers:"
                + Arrays.toString(trustManagers))
    }
    val trustManager: X509TrustManager = trustManagers[0] as X509TrustManager


    // Create a SSL context with the key managers of the KeyManagerFactory
    val sslContext = SSLContext.getInstance("TLS")
    sslContext.init(keyManagerFactory.keyManagers, arrayOf<TrustManager>(trustManager), SecureRandom())

    //Finally set the sslSocketFactory to our builder and build it
    return httpClientBuilder
        .sslSocketFactory(sslContext.socketFactory, trustManager)
        .build()

    } catch (ex: Exception){
        ex.printStackTrace()
    }
    return httpClientBuilder.build();

}

Can somebody please. Thanks in advance. And sslCertificate.pfx gives this result

> Keystore type: PKCS12 Keystore provider: SUN
> 
> Your keystore contains 1 entry
> 
> Alias name: {5afb09cb-a876-4802-9dbc-ca535d656991} Creation date:
> 12-Aug-2021 Entry type: PrivateKeyEntry Certificate chain length: 1
> Certificate[1]: Owner: CN=*.joblogicinternal.com, OU=Domain Control
> Validated Issuer: CN=Go Daddy Secure Certificate Authority - G2,
> OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
> L=Scottsdale, ST=Arizona, C=US Serial number: f697a66f1ed3d443 Valid
> from: Mon Aug 03 20:17:24 PKT 2020 until: Sat Oct 02 08:06:55 PKT 2021
> Certificate fingerprints:
>          SHA1: 44:F4:75:06:8D:CC:2B:43:AE:73:D8:33:1E:1C:0D:E7:F6:A8:C1:A9
>          SHA256: F1:F4:00:CF:E5:97:35:C2:EC:FF:59:DE:79:5B:9E:F6:B4:9D:1D:98:D1:B8:FD:41:60:EB:CB:86:35:59:87:9E
> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
> 2048-bit RSA key Version: 3
> 
> Extensions:
> 
> #1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false 0000: 04 81 F3 00 F1 00 76 00   F6 5C 94 2F D1 77 30 22  ......v..\./.w0" 0010: 14 54
> 18 08 30 94 56 8E   E3 4D 13 19 33 BF DF 0C  .T..0.V..M..3... 0020: 2F
> 20 0B CC 4E F1 64 E3   00 00 01 73 B4 E6 19 78  / ..N.d....s...x 0030:
> 00 00 04 03 00 47 30 45   02 21 00 DA 36 B5 AD AB  .....G0E.!..6...
> 0040: 1C FF B1 96 61 1B 94 A5   F8 81 40 B2 D2 61 FC 4F 
> [email protected] 0050: 9A EE C9 C8 B9 2F 33 72   CC F2 7C 02 20 51 65
> 13  ...../3r.... Qe. 0060: 7F 2A ED BB 39 85 58 E4   07 40 FC C1 D8 61
> 0E 18  .*[email protected].. 0070: 1F E1 61 BD 73 91 38 1E   94 28 97 34 67
> 00 77 00  ..a.s.8..(.4g.w. 0080: 5C DC 43 92 FE E6 AB 45   44 B1 5E 9A
> D4 56 E6 10  \.C....ED.^..V.. 0090: 37 FB D5 FA 47 DC A1 73   94 B2 5E
> E6 F6 C7 0E CA  7...G..s..^..... 00A0: 00 00 01 73 B4 E6 1A A2   00 00
> 04 03 00 48 30 46  ...s.........H0F 00B0: 02 21 00 AD 29 89 17 C7   62
> 25 D3 E1 F5 A5 AE 17  .!..)...b%...... 00C0: 12 F9 6D 7D 70 A4 53 30  
> 7F 98 F5 3F 9F 42 05 AB  ..m.p.S0...?.B.. 00D0: 4B F8 4F 02 21 00 82
> 27   19 3A AD 0E 70 4D 83 38  K.O.!..'.:..pM.8 00E0: 02 BB D1 BF 96 64
> 6E 10   F1 AF C2 CB F1 EE A9 AF  .....dn......... 00F0: F0 A5 38 82 80
> 27                                  ..8..'
> 
> 
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [   [    accessMethod: ocsp    accessLocation: URIName:
> http://ocsp.godaddy.com/ ,    accessMethod: caIssuers   
> accessLocation: URIName:
> http://certificates.godaddy.com/repository/gdig2.crt ] ]
> 
> #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3
> F0  @..'..4.0.3..l.. 0010: B4 2C 80 CE                                
> .,.. ] ]
> 
> #4: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[   CA:false   PathLen: undefined ]
> 
> #5: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [   [DistributionPoint:
>      [URIName: http://crl.godaddy.com/gdig2s1-2179.crl] ]]
> 
> #6: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [   [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
> [PolicyQualifierInfo: [   qualifierID: 1.3.6.1.5.5.7.2.1   qualifier:
> 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69 
> .+http://certifi 0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63
> 6F  cates.godaddy.co 0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F   
> m/repository/
> 
> ]]  ]   [CertificatePolicyId: [2.23.140.1.2.1] []  ] ]
> 
> #7: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   serverAuth   clientAuth ]
> 
> #8: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Key_Encipherment ]
> 
> #9: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [   DNSName: *.joblogicinternal.com   DNSName: joblogicinternal.com ]
> 
> #10: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B0 89 77 CE 63 8D 8E 88   2C B6 E5 52 94 70 BB
> 41  ..w.c...,..R.p.A 0010: FA 06 C5 3F                                
> ...? ] ]
> 
> 
> 
> *******************************************
> *******************************************
0

There are 0 answers