Android 2.3: HttpClient SSL certificate problem: Intermediate certificate lacks BasicConstraints

StackOverflow https://stackoverflow.com/questions/7067340

Question

I'm running into a problem using this method to address a "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate" exception encountered using HttpClient 4. This, however, caused the following javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException:

System.err  W  javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Intermediate certificate lacks BasicCon
               straints
System.err  W   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:477)
System.err  W   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:750)
System.err  W   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:692)
System.err  W   at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:93)
System.err  W   at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
System.err  W   at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
System.err  W   at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
System.err  W   at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
System.err  W   at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:171)
System.err  W   at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
System.err  W   at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
System.err  W   at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:359)
System.err  W   at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
System.err  W   at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
System.err  W   at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
System.err  W   at com.example.activities.AuthTest.onCreate(AuthTest.java:69)
System.err  W   at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1047)
System.err  W   at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1722)
System.err  W   at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1784)
System.err  W   at android.app.ActivityThread.access$1500(ActivityThread.java:123)
System.err  W   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:939)
System.err  W   at android.os.Handler.dispatchMessage(Handler.java:99)
System.err  W   at android.os.Looper.loop(Looper.java:130)
System.err  W   at android.app.ActivityThread.main(ActivityThread.java:3835)
System.err  W   at java.lang.reflect.Method.invokeNative(Native Method)
System.err  W   at java.lang.reflect.Method.invoke(Method.java:507)
System.err  W   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:847)
System.err  W   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:605)
System.err  W   at dalvik.system.NativeStart.main(Native Method)
System.err  W  Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Intermediate certificate
                lacks BasicConstraints
System.err  W   at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:161)
System.err  W   at com.example.models.EasyX509TrustManager.checkServerTrusted(EasyX509TrustManager.java:80)
System.err  W   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:664)
System.err  W   at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
System.err  W   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:474)
System.err  W   ... 28 more
System.err  W  Caused by: java.security.cert.CertPathValidatorException: Intermediate certificate lacks BasicConstraints
System.err  W   at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertK(RFC3280CertPathUtilities.java:2127)
System.err  W   at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:384)
System.err  W   at java.security.cert.CertPathValidator.validate(CertPathValidator.java:197)
System.err  W   at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:156)
System.err  W   ... 32 more

I got around that by commenting out the following else block found in EasyX509TrustManager.java:

public void checkServerTrusted( X509Certificate[] certificates, String authType )
    throws CertificateException
{
    if ( ( certificates != null ) && ( certificates.length == 1 ) )
    {
        certificates[0].checkValidity();
    }
    //else
    //{
    //    standardTrustManager.checkServerTrusted( certificates, authType );
    //}
}

Voila! And everything works as it should. The problem is that I really have no idea what the "Intermediate certificate lacks BasicCosntraints" exception means or if commenting out that else block introduces a security risk where I may be trusting invalid certificates.

The original SSLPeerUnverifiedException did not occur on either Android 2.1 or 2.2, so this seems to be just a problem on Android 2.3+.

Could someone please help me understand what exactly that exception means? And if this is a security risk, how would I begin to go about resolving this issue?

Was it helpful?

Solution

Basic constraints specify whether a certificate can issue other certificates (is it Certificate Authority; technically can its public key sign other certificates), and whether the certificates it issued can in turn issue other certificates (who long the chain can be). So if some one fakes it, you can be made to use/trust a certificate issued by someone who is not supposed to issue certificates in the first place. Commenting out checkServerTrusted is bad: you are basically saying: I don't care whose certificate this is, as long as it's not broken and not expired. This kind of defeats the purpose, because anyone can issue a valid certificate.

Possibly 2.1 and 2.2 didn't care about checking constraints and 2.3 started to and that is why you are getting an error. Can you post a link to those certificates?

All the gory details are in RFC 3280.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top