Skip to main content

Error while connecting to Https server

1 reply [Last post]
tusharj9
Offline
Joined: 2005-09-22
Points: 0

Hi,
I'm trying to connect to https server from my midlet running on phoneme.
To enable https support I have compiled phoneme with
USE_SSL = true
USE_RESTRICTED_CRYPTO = true
and using restricted crypto library provided on svn.

But when try to connect to https server MIDlet following throws exception:


java.io.IOException: Unexpected extensions in old version cert res.version=2
- .unknown...unknown.(), bci=812
- .unknown...unknown.(), bci=105
- .unknown...unknown.(), bci=100
- .unknown...unknown.(), bci=79
- .unknown..(), bci=200
- com.sun.midp.io.j2me.https.Protocol..unknown.(), bci=289
- com.sun.midp.io.j2me.http.Protocol..unknown.(), bci=2
- com.sun.midp.io.j2me.http.Protocol..unknown.(), bci=7
- com.sun.midp.io.j2me.http.Protocol..unknown.(), bci=34
- com.sun.midp.io.j2me.http.Protocol..unknown.(), bci=3
- com.sun.midp.io.j2me.http.Protocol.getResponseCode(), bci=5
- HttpThread.getViaHttpConnection(), bci=44
- HttpThread.run(), bci=15
- java.lang.Thread.run(), bci=5

I also added Verisign's root certificate in to _main.ks but still getting same error.

Is there any issue with certificate parsing done in X509Certificate class.

Regards,
Tushar

Some debugging revel that in in X509Certificate class's generateCertificate version of certificate received from gmail seems to be equals to "2". Ideally it should be "3". Any issue with current crypto implementation ?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jseghers
Offline
Joined: 2007-05-30
Points: 0

There is a bug in X509Certificate.java

Certificate versions are numbered V1, V2, V3... but are encoded as 0, 1, 2 respectively. Your certificate is actually V3, but the code is not recognizing that.

In file midp/src/security/pki/reference/classes/com/sun/midp/pki/X509Certificate.java,
In the block of code in generateCertificate function add the line shown.
[code]
if ((res.enc[res.idx] & 0xf0) == 0xa0) {
res.idx++;
if (Logging.REPORT_LEVEL <= Logging.INFORMATION) {
Logging.report(Logging.INFORMATION,
LogChannels.LC_SECURITY,
"Version info: " +
Utils.hexEncode(res.enc, (res.idx + 1),
res.enc[res.idx]));
}
size = (res.enc[res.idx++] & 0xff);
if (res.idx + size > res.enc.length) {
throw new IOException("Version info too long");
}

res.version = (byte)(res.enc[res.idx + (size - 1)]);
res.version++; <====Add this line
res.idx += size;
} else {
res.version = 1; // No explicit version value
}
[/code]

Also, if you have logging turned on to debug this stuff, there is a buffer overflow if a certificate is signed by a 256-byte signature, such as the Ascentia CA 1 Certificate.