No System TLS on Android after using Bouncy Castle

1
votes

I'm using Bouncy Castle Security Provider for encryption/decryption. I also make sure to remove the BC provider after every Bouncy castle call. Here's the BC code:

public static boolean pubVerifySign(
        String pKey, String sSignature, String sChallenge) throws UnsupportedEncodingException{
    BouncyCastleProvider bcp = initSecuritySubsystem();
    
    boolean bOutput = false;
    try{
        ECPublicKey ecPublicKey = 
                getPublicKeyForBytes(Hex.decode(pKey));
    
        bOutput =
                pubVerifySign(ecPublicKey, 
                        sSignature, sChallenge);
    }finally{
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
    return bOutput;
}

However, right after the code. However, whenever I try to use URL.openConnection or any other Http library, I get the following error: No System TLS:

cz.msebera.android.httpclient.ssl.SSLInitializationException: java.security.KeyStoreException: java.security.NoSuchAlgorithmException: KeyStore BKS implementation not found
at cz.msebera.android.httpclient.ssl.SSLContexts.createDefault(SSLContexts.java:57)
at cz.msebera.android.httpclient.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:978)
at cz.msebera.android.httpclient.impl.client.HttpClients.createDefault(HttpClients.java:56)
at org.nebucoin.user.utils.URLUtils.getHttp(URLUtils.java:63)Caused by: java.security.KeyManagementException: java.security.KeyStoreException:       java.security.NoSuchAlgorithmException: KeyStore BKS implementation not found
at org.conscrypt.SSLParametersImpl.createDefaultX509KeyManager(SSLParametersImpl.java:534)
at org.conscrypt.SSLParametersImpl.getDefaultX509KeyManager(SSLParametersImpl.java:515)
at org.conscrypt.SSLParametersImpl.<init>(SSLParametersImpl.java:126)
at org.conscrypt.OpenSSLContextImpl.engineInit(OpenSSLContextImpl.java:104)
at javax.net.ssl.SSLContext.init(SSLContext.java:349)
at cz.msebera.android.httpclient.ssl.SSLContexts.createDefault(SSLContexts.java:52)

I've tried countless other Http Android Libraries (OkHTTP, Apache HTTP Client, etc), still getting the same error. I even added conscypt official Android Library to the project, and setting Conscrypt as the 1st Provider like this:

Security.insertProviderAt(Conscrypt.newProvider(), 1);

without any luck.

Any idea would be welcome!

NB: When I use URL.openConnection before BC/based pubVerifySign, everything goes just fine!

1
androidokhttpbouncycastle
Are there alternatives that don't require registration like this? e.g. Tink?Yuri Schimke
Adding the Bouncycastle provider should only be done when you know you need it, but if you do add it there is not much reason to remove it unless, again, you know it needs to be removed because of some bug or incompatibility.President James K. Polk

1 Answers

1
votes

BouncyCastle has two providers, you likely need to remove both.

    Security.insertProviderAt(BouncyCastleProvider(), 1)
    Security.insertProviderAt(BouncyCastleJsseProvider(), 2)

If the JSSE provider remains then it will fail when it doesn't find the keystore it expects.