wolfSSL · lealem47 · Apr 9, 2024 · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024
diff --git a/IDE/Android/.idea/compiler.xml b/IDE/Android/.idea/compiler.xml
diff --git a/IDE/Android/.idea/gradle.xml b/IDE/Android/.idea/gradle.xml
diff --git a/IDE/Android/.idea/misc.xml b/IDE/Android/.idea/misc.xml
diff --git a/IDE/Android/.idea/vcs.xml b/IDE/Android/.idea/vcs.xml
diff --git a/IDE/Android/README.md b/IDE/Android/README.md
@@ -123,9 +123,12 @@ located in the wolfssljni/IDE directory.
 This will ask for permissions to access the certificates in the /sdcard/
 directory and then print out the server certificate information on success.
 
-3) OPTIONAL: The androidTests can be run after permissions has been given.
+3) OPTIONAL: The androidTests can be run after permissions have been given.
 app->java->com.wolfssl->provider.jsse.test->WolfSSLJSSETestSuite and
-app->java->com.wolfssl->test->WolfSSLTestSuite
+app->java->com.wolfssl->test->WolfSSLTestSuite. In order to get the correct
+permissions, you may need to install and run the app first, before running
+the tests. Otherwise you will see EACCESS errors when trying to open
+example certificate and .bks files.
 
 ## Support
 

diff --git a/IDE/Android/app/build.gradle b/IDE/Android/app/build.gradle
@@ -26,6 +26,7 @@ android {
             path "src/main/cpp/CMakeLists.txt"
         }
     }
+    namespace 'com.example.wolfssl'
 }
 
 dependencies {

diff --git a/IDE/Android/app/src/main/AndroidManifest.xml b/IDE/Android/app/src/main/AndroidManifest.xml
@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
-    package="com.example.wolfssl">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
     <uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE" />
     <uses-permission android:name="android.permission.INTERNET"/>
 
@@ -10,7 +9,9 @@
         android:label="@string/app_name"
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
-        android:theme="@style/AppTheme">
+        android:theme="@style/AppTheme"
+        android:requestLegacyExternalStorage="true"
+        android:preserveLegacyExternalStorage="true">
         <activity android:name=".MainActivity">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />

diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt
diff --git a/IDE/Android/build.gradle b/IDE/Android/build.gradle
@@ -7,7 +7,7 @@ buildscript {
 
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:7.1.3'
+        classpath 'com.android.tools.build:gradle:8.3.1'
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files

diff --git a/IDE/Android/gradle.properties b/IDE/Android/gradle.properties
@@ -6,6 +6,9 @@
 # http://www.gradle.org/docs/current/userguide/build_environment.html
 # Specifies the JVM arguments used for the daemon process.
 # The setting is particularly useful for tweaking memory settings.
+android.defaults.buildfeatures.buildconfig=true
+android.nonFinalResIds=false
+android.nonTransitiveRClass=false
 org.gradle.jvmargs=-Xmx1536m
 # When configured, Gradle will run in incubating parallel mode.
 # This option should only be used with decoupled projects. More details, visit

diff --git a/IDE/Android/gradle/wrapper/gradle-wrapper.properties b/IDE/Android/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 #Thu Nov 04 15:51:08 MDT 2021
 distributionBase=GRADLE_USER_HOME
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 distributionPath=wrapper/dists
 zipStorePath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
diff --git a/examples/certs/ca-cert.pem b/examples/certs/ca-cert.pem
@@ -1,67 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            33:44:1a:a8:6c:01:ec:f6:60:f2:70:51:0a:4c:d1:14:fa:bc:e9:44
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Validity
-            Not Before: Dec 13 22:19:28 2023 GMT
-            Not After : Sep  8 22:19:28 2026 GMT
-        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
-                    f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
-                    de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98:
-                    21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77:
-                    32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1:
-                    8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3:
-                    a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed:
-                    a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95:
-                    82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c:
-                    3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db:
-                    76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc:
-                    73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98:
-                    de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68:
-                    cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2:
-                    b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3:
-                    13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98:
-                    ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed:
-                    36:79
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
-            X509v3 Authority Key Identifier: 
-                keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
-                DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:33:44:1A:A8:6C:01:EC:F6:60:F2:70:51:0A:4C:D1:14:FA:BC:E9:44
-
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            X509v3 Subject Alternative Name: 
-                DNS:example.com, IP Address:127.0.0.1
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-    Signature Algorithm: sha256WithRSAEncryption
-         2d:fc:f9:32:5a:be:d6:9d:42:8b:86:4e:67:22:c3:50:2d:cb:
-         14:27:1d:94:f3:cd:88:42:da:41:1c:39:24:67:a7:92:4d:27:
-         ea:56:82:19:bf:11:b2:43:a4:8d:5d:87:b2:27:64:66:82:81:
-         df:c4:fd:5b:62:b0:c2:4d:9d:29:f2:41:32:cc:2e:b5:da:38:
-         06:1b:e8:7f:8c:6e:3d:80:1e:00:56:49:bf:39:e0:da:68:2f:
-         c4:fd:00:e6:d1:81:1a:d1:4a:bb:76:52:ce:4d:24:9d:c4:a3:
-         a7:f1:65:14:2f:1f:a8:2d:c6:cb:ce:b1:a7:89:74:26:27:c3:
-         f3:a3:84:4c:34:01:14:03:7d:16:3a:c8:8b:25:2e:7b:90:cc:
-         46:b1:52:34:ba:93:6e:ef:fe:43:a3:ad:c6:6f:51:fb:ba:ea:
-         38:e3:6f:d6:ee:63:62:36:ea:5e:08:b4:e2:2a:46:89:e3:ae:
-         b3:b4:06:ef:63:7a:6e:5d:dd:c9:ec:02:4f:f7:64:c0:27:07:
-         b4:6f:4a:18:72:5b:34:74:7c:d0:a9:04:8f:40:8b:6a:39:d2:
-         6b:1a:01:f2:01:a8:81:34:3a:e5:b0:55:d1:3c:95:ca:b0:82:
-         d6:ed:98:28:15:59:7e:95:a7:69:c7:b5:7b:ec:01:a7:4d:e6:
-         b9:a2:fe:35
 -----BEGIN CERTIFICATE-----
 MIIE/zCCA+egAwIBAgIUM0QaqGwB7PZg8nBRCkzRFPq86UQwDQYJKoZIhvcNAQEL
 BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC

diff --git a/examples/certs/ca-ecc-cert.pem b/examples/certs/ca-ecc-cert.pem
@@ -1,40 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0f:17:46:70:fd:c2:70:d1:f9:42:49:9c:1a:c3:5d:dd:30:c8:5f:85
-        Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Validity
-            Not Before: Dec 13 22:19:28 2023 GMT
-            Not After : Sep  8 22:19:28 2026 GMT
-        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (256 bit)
-                pub:
-                    04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
-                    4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
-                    2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
-                    b5:3b:43:45:33:0f:61:53:7c:37:44:c1:cb:fc:80:
-                    ca:e8:43:ea:a7
-                ASN1 OID: prime256v1
-                NIST CURVE: P-256
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
-            X509v3 Authority Key Identifier: 
-                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:c8:64:7f:ee:4b:be:83:48:13:ea:92:f8:1a:
-         82:1e:85:b1:5a:a4:1c:e3:e8:ea:25:44:6f:e7:70:fd:eb:f3:
-         76:02:20:44:02:a2:ec:c5:a1:ae:e2:a4:8a:d9:13:95:2b:a6:
-         5b:09:57:86:61:42:96:97:f0:95:62:0c:03:e6:53:04:25
 -----BEGIN CERTIFICATE-----
 MIIClTCCAjugAwIBAgIUDxdGcP3CcNH5QkmcGsNd3TDIX4UwCgYIKoZIzj0EAwIw
 gZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT

diff --git a/examples/certs/update-certs.sh b/examples/certs/update-certs.sh
@@ -80,6 +80,8 @@ printf "Generated ca-keyPkcs8.der\n"
 
 # Remove text info from intermediate certs, causes issues on Android (WRONG TAG)
 printf "Removing text info from intermediate certs\n"
+sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' ca-cert.pem
+sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' ca-ecc-cert.pem
 sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' intermediate/ca-int2-cert.pem
 sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' intermediate/ca-int2-ecc-cert.pem
 sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' intermediate/ca-int-cert.pem

diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLContextTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLContextTest.java
@@ -499,6 +499,11 @@ public void testJdkTlsDisabledAlgorithms() throws NoSuchProviderException,
         /* Save original property value to reset after test */
         String originalProperty =
             Security.getProperty("jdk.tls.disabledAlgorithms");
+        if (originalProperty == null) {
+            /* Default back to empty string, otherwise we may get a NullPointerException when
+             * trying to restore this back to the original value later */
+            originalProperty = "";
+        }
 
         /* Test with no protocols disabled */
         Security.setProperty("jdk.tls.disabledAlgorithms", "");

diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java
@@ -1032,7 +1032,8 @@ public void testExtendedThreadingUse()
         /* Start up simple TLS test server */
         CountDownLatch serverOpenLatch = new CountDownLatch(1);
         InternalMultiThreadedSSLSocketServer server =
-            new InternalMultiThreadedSSLSocketServer(svrPort, serverOpenLatch);
+            new InternalMultiThreadedSSLSocketServer(svrPort, serverOpenLatch,
+            numThreads);
         server.start();
 
         /* Wait for server thread to start up before connecting clients */
@@ -1303,11 +1304,13 @@ protected class InternalMultiThreadedSSLSocketServer extends Thread
     {
         private int serverPort;
         private CountDownLatch serverOpenLatch = null;
+        private int clientConnections = 1;
 
         public InternalMultiThreadedSSLSocketServer(
-            int port, CountDownLatch openLatch) {
+            int port, CountDownLatch openLatch, int clientConnections) {
             this.serverPort = port;
             serverOpenLatch = openLatch;
+            this.clientConnections = clientConnections;
         }
 
         @Override
@@ -1317,11 +1320,12 @@ public void run() {
                 SSLServerSocket ss = (SSLServerSocket)ctx
                     .getServerSocketFactory().createServerSocket(serverPort);
 
-                while (true) {
+                while (clientConnections > 0) {
                     serverOpenLatch.countDown();
                     SSLSocket sock = (SSLSocket)ss.accept();
                     ClientHandler client = new ClientHandler(sock);
                     client.start();
+                    clientConnections--;
                 }
 
             } catch (Exception e) {

diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLKeyX509Test.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLKeyX509Test.java
@@ -176,9 +176,9 @@ public void testChooseClientAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("client")) {
+            if (!alias.equals("client") && !alias.equals("ca")) {
                 error("\t... failed");
-                fail("expected 'client' alias for RSA type from allJKS");
+                fail("expected 'client' alias for RSA type from allJKS, got: " + alias);
             }
         }
 
@@ -189,9 +189,9 @@ public void testChooseClientAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("server-ecc")) {
+            if (!alias.equals("server-ecc") && !alias.equals("ca-ecc")) {
                 error("\t... failed");
-                fail("expected 'server-ecc' alias for EC type from allJKS");
+                fail("expected 'server-ecc' alias for EC type from allJKS, got: " + alias);
             }
         }
 
@@ -238,9 +238,9 @@ public void testEngineChooseClientAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("client")) {
+            if (!alias.equals("client") && !alias.equals("ca")) {
                 error("\t... failed");
-                fail("expected 'client' alias for RSA type from allJKS");
+                fail("expected 'client' alias for RSA type from allJKS, got: " + alias);
             }
         }
 
@@ -251,9 +251,9 @@ public void testEngineChooseClientAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("server-ecc")) {
+            if (!alias.equals("server-ecc") && !alias.equals("ca-ecc")) {
                 error("\t... failed");
-                fail("expected 'server-ecc' alias for EC type from allJKS");
+                fail("expected 'server-ecc' alias for EC type from allJKS, got: " + alias);
             }
         }
 
@@ -350,9 +350,9 @@ public void testChooseServerAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("client")) {
+            if (!alias.equals("client") && !alias.equals("ca")) {
                 error("\t... failed");
-                fail("expected 'client' alias for RSA type from allJKS");
+                fail("expected 'client' alias for RSA type from allJKS, got: " + alias);
             }
         }
 
@@ -363,9 +363,9 @@ public void testChooseServerAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("server-ecc")) {
+            if (!alias.equals("server-ecc") && !alias.equals("ca-ecc")) {
                 error("\t... failed");
-                fail("expected 'server-ecc' alias for EC type from allJKS");
+                fail("expected 'server-ecc' alias for EC type from allJKS, got: " + alias);
             }
         }
 
@@ -412,9 +412,9 @@ public void testChooseEngineServerAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("client")) {
+            if (!alias.equals("client") && !alias.equals("ca")) {
                 error("\t... failed");
-                fail("expected 'client' alias for RSA type from allJKS");
+                fail("expected 'client' alias for RSA type from allJKS, got: " + alias);
             }
         }
 
@@ -425,9 +425,9 @@ public void testChooseEngineServerAlias() {
             /* Note: this is very dependent on the contents and ordering of
              * all.jks. If that file is re-generated or changed, this test may
              * need to be updated */
-            if (!alias.equals("server-ecc")) {
+            if (!alias.equals("server-ecc") && !alias.equals("ca-ecc")) {
                 error("\t... failed");
-                fail("expected 'server-ecc' alias for EC type from allJKS");
+                fail("expected 'server-ecc' alias for EC type from allJKS, got: " + alias);
             }
         }