Opened 5 months ago

Last modified 4 months ago

#2296 open defect

Android bug; net.i2p.crypto.SelfSignedGenerator.generateCRL

Reported by: meeh Owned by: meeh
Priority: minor Milestone: 0.9.37
Component: apps/android Version: 0.9.35
Keywords: Cc: zzz
Parent Tickets:


Today, 11:08 on app version 4745242
Venturer i7 (RCT6773W22), Android 4.4
Report 1


at android.os.AsyncTask?$3.done (AsyncTask?.java:300)
at java.util.concurrent.FutureTask?.finishCompletion (FutureTask?.java:355)
at java.util.concurrent.FutureTask?.setException (FutureTask?.java:222)
at java.util.concurrent.FutureTask?.run (FutureTask?.java:242)
at android.os.AsyncTask?$SerialExecutor?$ (AsyncTask?.java:231)
at java.util.concurrent.ThreadPoolExecutor?.runWorker (ThreadPoolExecutor?.java:1112)
at java.util.concurrent.ThreadPoolExecutor?$ (ThreadPoolExecutor?.java:587)
at (

Caused by: java.lang.IllegalArgumentException?:

at net.i2p.crypto.SigUtil?.fromJavaKey (SigUtil?.java:193)
at net.i2p.crypto.SelfSignedGenerator?.generateCRL (SelfSignedGenerator?.java:286)
at net.i2p.crypto.SelfSignedGenerator?.generate (SelfSignedGenerator?.java:236)
at net.i2p.crypto.SelfSignedGenerator?.generate (SelfSignedGenerator?.java:145)
at net.i2p.crypto.KeyStoreUtil?.createKeysAndCRL (KeyStoreUtil?.java:864)
at net.i2p.crypto.KeyStoreUtil?.createKeysAndCRL (KeyStoreUtil?.java:784)
at net.i2p.crypto.KeyStoreUtil?.createKeys (KeyStoreUtil?.java:687)
at net.i2p.crypto.KeyStoreUtil?.createKeys (KeyStoreUtil?.java:625)
at net.i2p.i2ptunnel.SSLClientUtil.createKeyStore (
at net.i2p.i2ptunnel.SSLClientUtil.verifyKeyStore (
at net.i2p.i2ptunnel.ui.GeneralHelper?.updateTunnelConfig (GeneralHelper?.java:126)
at net.i2p.i2ptunnel.ui.GeneralHelper?.saveTunnel (GeneralHelper?.java:84)
at (SaveTunnelTask?.java:30)
at (SaveTunnelTask?.java:17)
at android.os.AsyncTask?$ (AsyncTask?.java:288)
at java.util.concurrent.FutureTask?.run (FutureTask?.java:237)

Subtickets (add)

Change History (6)

comment:1 Changed 5 months ago by meeh

I pasted report 1 of 8, they all looked the same so I'm not pasting the others.

comment:2 Changed 5 months ago by meeh

It's impacted 6 users.

comment:3 Changed 5 months ago by zzz

  • Milestone changed from 0.9.36 to 0.9.37

Interesting. This can only happen if the user has enabled SSL for connection to the tunnel, which is not the default, but it is an option in the config UI.

The cause may be something unique to Android keystores, as I think we do a store-and-reread when generating new selfsigned certs, so we have to convert Java keys back to I2P key data structure and that's where it's dying. Haven't had any similar report for desktop, but we should try it there also.

Not worth holding up the 36 release for this. Workaround is to disable SSL in the config, or perhaps we should just remove it from the Android UI, because I'm not sure what the use case for this would be on Android. It's much more likely the user has misconfigured it, he probably doesn't want local SSL. He would have to get the selfsigned cert trusted on the other end and we don't provide any sort of instructions or UI to get the cert at all.

comment:4 Changed 4 months ago by zzz

  • Status changed from new to open

SelfSignedGenerator? was doing an unnecessary round-trip conversion i2p-java-i2p for the ECDSA privkey in the CRL generation, the second part is failing for unknown reasons. Maybe it's the very old Android version (4.4) ? What other android versions were reported? Haven't tried to reproduce. i2ptunnel also doesn't save the CRL so it's doubly pointless.

Added better log message in 0.9.36-8
Removed the unnecessary conversion in 5d955a5399a21a86e29b50359009c5bb68de33f8 0.9.36-9.

As discussed in comment 3 above, not sure if this option should be exposed in android at all - I doubt it's what the user thinks it is - perhaps the option should be renamed or hidden in android.

comment:5 Changed 4 months ago by zzz

Also a report from Android 8.1, so there's essentially no bounds on version

comment:6 Changed 4 months ago by meeh

version 0.9.37 temporary (at least) disabled this option, however disabling it required me to remove it from both tunnel types (client and server) since it was a shared attribute. I'll take a look if this can be avoided for next release.

Note: See TracTickets for help on using tickets.