Error 9825 - misc. bad certificate

[BeeMeeMan]

Hey! Can You help, I just trying to run the demo project. I generate new certificate Keychain > Certificate Assistant > Create a Certificate. There select SSL client (also try server), then export p12 and cer witch convert to der. During pairing I get Error 9825 - misc. bad certificate. What am I doing wrong?

[odyshewroman]

How you convert cer to der?

I prefer use openSSL instead KeyChain, you can use this commands:

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

openssl x509 -req -in server.csr -signkey server.key -out server.crt

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt

openssl x509 -in server.crt -out server.der -outform DER

[BeeMeeMan]

Thanks for your help! I convert cer to der same as you. If I use all your commands, I get error secPKCS12Import I tried to set/not set password nothing helps. If I use certificate from keychain, I get: connectionFailed ( description: certificate unknown)

[odyshewroman]

Can you send me your certificates with empty password? Just wanna check one thing.

пт, 1 дек. 2023 г., 22:41 Jenya Korsun @.***>:

Thanks for your help! I convert cer to der same as you. If I use all your commands, I get error secPKCS12Import I tried to set/not set password nothing helps. If I use certificate from keychain, I get: connectionFailed ( description: certificate unknown)

— Reply to this email directly, view it on GitHub https://github.com/odyshewroman/AndroidTVRemoteControl/issues/9#issuecomment-1836327303, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMDLXLWOMNG2YHHC6T5PYCLYHH3DFAVCNFSM6AAAAABABOCECGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZWGMZDOMZQGM . You are receiving this because you commented.Message ID: @.***>

[BeeMeeMan]

My are "Certificates", your - "server"

cert.zip

[odyshewroman]

Hmm... It's a really different certificate format that I use. In your certificate is no metadata fields such as Organization Name (e.g., company), Organizational Unit Name (e.g., section), Common Name (e.g., fully qualified host name), and Email Address.

Moreover, the serial number length in your certificate is 20 bytes, whereas mine is 9 bytes. This discrepancy might be the reason why the SecPKCS12Import function cannot extract the dictionary of items.

Could you please provide the version of your OpenSSL? Additionally, how do you create a new CSR without entering these fields? In my case, it's required in dialogue menu mode.

[BeeMeeMan]

OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) I tried to fill all this fields, it not help at all. Serial number length 20 bytes vs 9 bytes can be a reason. Can you send me some working certificate, I want to know that reason in it?

[odyshewroman]

These certificates work for me. cert.zip Just FYI, when you make the first connection, you may encounter an error in the remoteStateLabel. It's okay if the paringStateLabel switches to the waiting code state. After you enter and send the correct code, the next connections will be successful without entering the code again.

However, if you experience any issues, you can change the code to enter the code each time, as I describe here: https://github.com/odyshewroman/AndroidTVRemoteControl/issues/7#issuecomment-1811995002

[BeeMeeMan]

Error message little changed, but still connection failed: boringssl_context_handle_fatal_alert(2 072) [C15:1][0x103ba28d0] read alert, level: fatal, description: certificate unknown nw_read_request_report [C15] Receive failed with error "misc. bad certificate" boringssl_session_handshake_error_print(44) [C15:1][0x103ba28d0] Error: 4332746608:error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN:/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/ssl/tls_record.cc:592:SSL alert number 46

Now when I have potentially working cer will look what Iam doing wrong. Thanks and have a nice weekends!)

[Goule]

Hello,

I've created my own certificate with these command :

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

openssl x509 -days 5000 -req -in server.csr -signkey server.key -out server.crt

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt

openssl x509 -days 5000 -in server.crt -out server.der -outform DER

Same command as you @odyshewroman , but added -days option only.

But when I try to replace it in the sample demo I obtain : Error: secPKCS12Import Not Success

Any advice to create the certificates ?

Here is the generated certificate with the command below, without password : Archive.zip

[cherpake]

Something about SecPKCS12Import not supporting new methods of encoding use -legacy flag

openssl pkcs12 -export -out cert.p12 -inkey key.pem -in req.pem -legacy

[cherpake]

Also seems like Google requires certificate to have IP address of the device in the certificate. Haven't looked into how to achieve that yet.

[Goule]

Thanks @cherpake, working with legacy option !

About the ip address, are you sure this is mandatory ? There is no mention of that in this documentation for exemple : https://github.com/Aymkdn/assistant-freebox-cloud/wiki/Google-TV-(aka-Android-TV)-Remote-Control-(v2)

[cherpake]

Nope. Not sure. Although it seems this projects https://github.com/drosoCode/atvremote/ works and that what it does. Just checked... indeed - its not required.

[odyshewroman]

I have updated openssl and face to the same issue. I have read some topics of Apple Developers Forum and looks like openSSL no longer compatible with Apple security requirements in iOS, so it's reason why SecPKCS12Import throw import error for certificates which was generated by actual OpenSSL library. Trying to investigate other ways

[longleeproduction]

Hi @odyshewroman, have you found a new solution yet?

[cherpake]

@odyshewroman @longleeproduction you just need to use legacy option https://github.com/odyshewroman/AndroidTVRemoteControl/issues/9#issuecomment-1840802519

[longleeproduction]

@odyshewroman @longleeproduction you just need to use legacy option #9 (comment)

Thank you for your suggestion. I followed the following commands and replaced the demo app but still got the error as above.

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key openssl x509 -days 5000 -req -in server.csr -signkey server.key -out server.crt openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -legacy openssl x509 -days 5000 -in server.crt -out server.der -outform DER

Can you give me more suggestions on this problem, it's completely new to me.

[odyshewroman]

@longleeproduction , Hi unfortunately, I don't have any updates. I also think that the -legacy key solves this issue, so I switched to expanding functionality, and at the moment, I am working on implementing the sending of new commands.

[aybabtu1337]

Adding -legacy fixed "Error: secPKCS12Import Not Success" but resulted in a new error for me: "misc. bad certificate".

[odyshewroman]

@aybabtu1337 can you attach your certificate for I can check it.

[aybabtu1337]

cert.zip Password "pass". I've tried your openssl commands and the cert generated from: https://github.com/louis49/androidtv-remote (which works fine in the node app).

[odyshewroman]

I think the issue is that these commands still generate a version 3 certificate. However, it seems that Apple devices require a certificate of an older version - version 1. I'm trying to generate such a certificate, but so far without success.

[odyshewroman]

@aybabtu1337 Ooops... I was wrong... Everything is fine with certificates. I think it's happened because before you already had connected with certificates from demo project, then device keep the cert data, and expected that you will connect with the same cert, so it's leads to this error. You should handle this case and start classic connection flow or redesign RemoteTVManager connecting function like this:

func connect(host: String) {
        queue.async {
            self.remoteManager.stateChanged = { [weak self] remoteState in
                self?.remoteStateChanged?(remoteState.toString())
            }

            self.pairingManager.stateChanged = { [weak self] pairingState in
                self?.pairingStateChanged?(pairingState.toString())

                if case .successPaired = pairingState {
                    self?.remoteManager.connect(host)
                }
            }

            self.pairingManager.connect(host, "client", "iPhone")
        }
}

[aybabtu1337]

Thanks! I applied the changes to the connect func and now the TV showed me the pairing code.