Android Keystore: error parsing PKCS#12 with DSA encrypted certificate

[kratoskp]

Description

The following is already set in the environment:

EXPO_ANDROID_KEYSTORE_FILE=/path/to/keystore.jks
EXPO_ANDROID_KEYSTORE_ALIAS=“alias”
EXPO_ANDROID_KEY_PASSWORD=“password”
EXPO_ANDROID_KEYSTORE_PASSWORD=“password”

This is the command that I have executed locally:

expo build:android --non-interactive --release-channel build-33 --keystore-path=$EXPO_ANDROID_KEYSTORE_FILE --keystore-alias=$EXPO_ANDROID_KEYSTORE_ALIAS

Expected Behavior

Build come out fine

Observed Behavior

[11:34:10] Checking if there is a build in progress...

[11:34:10] Accessing credentials for kratoskp in project easysocial
[11:34:18] An unknown error occurred.

Environment

Expo CLI 3.28.2 environment info:
System:
OS: macOS 10.15.7
Shell: 5.7.1 - /bin/zsh
Binaries:
Node: 14.4.0 - /usr/local/bin/node
Yarn: 1.22.5 - /usr/local/bin/yarn
npm: 6.14.8 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
Managers:
CocoaPods: 1.9.3 - /usr/local/bin/pod
SDKs:
iOS SDK:
Platforms: iOS 14.1, DriverKit 19.0, macOS 10.15, tvOS 14.0, watchOS 7.0
IDEs:
Android Studio: 4.0 AI-193.6911.18.40.6626763
Xcode: 12.1/12A7403 - /usr/bin/xcodebuild
npmPackages:
expo: ^39.0.0 => 39.0.3
react: 16.13.1 => 16.13.1
react-native: https://github.com/expo/react-native/archive/sdk-39.0.3.tar.gz => 0.63.2
react-navigation: ^4.4.0 => 4.4.2
npmGlobalPackages:
expo-cli: 3.28.2
Expo Workflow: managed

[kratoskp]

Seems like there's a problem when uploading the keystore through the credentials manager and hitting this error:

ApiV2Error: An unknown error occurred.
at ApiV2Client._requestAsync (/@expo/xdl@58.0.16/src/ApiV2.ts:245:21)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at ApiClient.updateKeystoreApi (/usr/local/lib/node_modules/expo-cli/src/credentials/api/AndroidApiV2Wrapper.ts:19:12)
at AndroidApi.updateKeystore (/usr/local/lib/node_modules/expo-cli/src/credentials/api/AndroidApi.ts:36:5)
at UpdateKeystore.open (/usr/local/lib/node_modules/expo-cli/src/credentials/views/AndroidKeystore.ts:46:5)
at CredentialsManager.run (/usr/local/lib/node_modules/expo-cli/src/credentials/route.ts:41:12)
at runCredentialsManagerStandalone (/usr/local/lib/node_modules/expo-cli/src/credentials/route.ts:7:3)
at program.command.description.helpGroup.option.asyncActionProjectDir.checkConfig (/usr/local/lib/node_modules/expo-cli/src/commands/credentials.ts:37:9)
at Command. (/usr/local/lib/node_modules/expo-cli/src/exp.ts:332:7) {
code: 'INTERNAL_SERVER_ERROR',
details: undefined,
serverStack: undefined,
metadata: undefined,
_isApiError: true
}

[kratoskp]

Updated the cli and retry to upload the same keystore. The server return this log:

ApiV2Error: Invalid PKCS#12 (.p12) keystore: PKCS12: bag is not a certificate.
at ApiV2Client._requestAsync (/@expo/xdl@58.0.18/src/ApiV2.ts:245:21)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at ApiClient.updateKeystoreApi (/usr/local/lib/node_modules/expo-cli/src/credentials/api/AndroidApiV2Wrapper.ts:19:12)
at AndroidApi.updateKeystore (/usr/local/lib/node_modules/expo-cli/src/credentials/api/AndroidApi.ts:36:5)
at UpdateKeystore.open (/usr/local/lib/node_modules/expo-cli/src/credentials/views/AndroidKeystore.ts:46:5)
at CredentialsManager.run (/usr/local/lib/node_modules/expo-cli/src/credentials/route.ts:41:12)
at runCredentialsManagerStandalone (/usr/local/lib/node_modules/expo-cli/src/credentials/route.ts:7:3)
at program.command.description.helpGroup.option.asyncActionProjectDir.checkConfig (/usr/local/lib/node_modules/expo-cli/src/commands/credentials.ts:37:9)
at Command. (/usr/local/lib/node_modules/expo-cli/src/exp.ts:332:7) {
code: 'CREDENTIALS_ANDROID_KEYSTORE_ERROR',
details: undefined,
serverStack: undefined,
metadata: undefined,
_isApiError: true
}

Note: This is a valid keystore as it is currently being use for app submission in the Play store

[brentvatne]

the error is coming from here:

expo-cli/packages/pkcs12/src/index.ts

Lines 12 to 27 in b9e5eb3

	/**
	* Extracts a certificate from PKCS#12
	* This is assumed to be a conventional PKCS#12 where there is exactly one certificate and one key
	*/
	export function getX509Certificate(p12: forge.pkcs12.Pkcs12Pfx): forge.pki.Certificate {
	const certBagType = forge.pki.oids.certBag;
	const bags = p12.getBags({ bagType: certBagType })[certBagType];
	if (!bags || bags.length === 0) {
	throw new Error(`PKCS12: No certificates found`);
	}
	const certificate = bags[0].cert;
	if (!certificate) {
	throw new Error('PKCS12: bag is not a certificate');
	}
	return certificate;
	}

1. did you generate this keystore through expo?
2. how did you generate it?

[kratoskp]

the error is coming from here:

expo-cli/packages/pkcs12/src/index.ts

Lines 12 to 27 in b9e5eb3

	/**
	* Extracts a certificate from PKCS#12
	* This is assumed to be a conventional PKCS#12 where there is exactly one certificate and one key
	*/
	export function getX509Certificate(p12: forge.pkcs12.Pkcs12Pfx): forge.pki.Certificate {
	const certBagType = forge.pki.oids.certBag;
	const bags = p12.getBags({ bagType: certBagType })[certBagType];
	if (!bags || bags.length === 0) {
	throw new Error(`PKCS12: No certificates found`);
	}
	const certificate = bags[0].cert;
	if (!certificate) {
	throw new Error('PKCS12: bag is not a certificate');
	}
	return certificate;
	}

1. did you generate this keystore through expo?
2. how did you generate it?

I generated the keystore myself using the command:
keytool -genkeypair -dname "cn=John Doe, ou=Development, o=Company, c=US" -alias alias -keypass "password" -keyalg DSA -keystore /path/to/file.jks -storepass "password" -validity 20000

[brentvatne]

when you generate a keystore like that, you will see:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore file.jks -destkeystore file.jks -deststoretype pkcs12".

you can try following the instructions to switch to the PKCS12 standard format

[kratoskp]

when you generate a keystore like that, you will see:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore file.jks -destkeystore file.jks -deststoretype pkcs12".

you can try following the instructions to switch to the PKCS12 standard format

Still hitting the same issue when upload the keystore to expo after the conversion cause the existing keystore is the type PKCS12.

this is the output when I ran keytool -list -v -keystore [keystore-path] on my existing keystore before the conversion

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: easysocial
Creation date: 15 Jan 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Stackideas Sdn. Bhd., OU=Development, O=StackIdeas, C=US
Issuer: CN=Stackideas Sdn. Bhd., OU=Development, O=StackIdeas, C=US
Serial number: 20e3b70e
Valid from: Wed Jan 15 11:08:08 MYT 2020 until: Thu Oct 18 11:08:08 MYT 2074
Certificate fingerprints:
SHA1: 5A:EB:57:39:74:5F:E0:A9:A9:9A:41:40:62:F6:43:ED:EA:55:CE:9A
SHA256: 77:99:7A:FE:34:62:94:C4:10:C2:70:F9:A1:C9:C0:B4:04:C4:24:6A:5A:16:09:12:18:A5:F1:AE:41:C3:00:62
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 35 31 7A 41 2A D9 D8 99 7C 62 C9 C1 56 7D 80 .51zA*....b..V..
0010: E7 5A 35 80 .Z5.
]
]

---

---

[brentvatne]

@quinlanj is investigating

[quinlanj]

The problem is that node-forge isn't able to parse a DSA certificate. Not sure if this is a bug on their part or if it just isn't supported.

I suspect it will take some time to fix the root cause, especially if it requires a PR to be made upstream to node-forge. I'm currently seeing what needs to be done to fix the root cause, but will also work on a stopgap fix that will unblock @kratoskp sooner (will likely take a couple days).

Linking the original forum post with more context here: https://forums.expo.io/t/getting-error-when-trying-to-build-android/44917/4

[quinlanj]

so it turns out node-forge only supports parsing RSA certificates 🤷‍♀️ i fixed the issue by adding support to hash the asn1 value directly instead of trying to parse it into a certificate object

[quinlanj]

reopening until we pull upstream changes and deploy to servers

[quinlanj]

Changes have been deployed to server. Can someone confirm that their problem has been solved (or not 😅 )? @kratoskp

[kratoskp]

Changes have been deployed to server. Can someone confirm that their problem has been solved (or not 😅 )? @kratoskp

My DSA signatured keystore can be upload succesfully via expo credentials manager. Thanks. @quinlanj

But the actual building is still failing without any logs. Created an issue here expo/turtle#276

[rafaelvicio]

As mudanças foram implantadas no servidor. Alguém pode confirmar se seu problema foi resolvido (ou não😅)? @kratoskp

I just made a new build attempt, but it was not successful.

My build: 07ff2957-4a3c-4db2-91d0-f3046dbab2c8

I need to send an existing certificate, because I already deployed it once.

[quinlanj]

hey all! For those of you who are having trouble uploading keystores (pkcs#12 with dsa encrypted cert), a fix was deployed earlier today.

For those of you who are experiencing failed android builds with PKCS#12 keystores, this is a separate problem, and is NOT related to this issue. Let's track it here instead: expo/turtle#276 @rafaelvicio

[raphaelmatori]

The problem is that node-forge isn't able to parse a DSA certificate. Not sure if this is a bug on their part or if it just isn't supported.

I suspect it will take some time to fix the root cause, especially if it requires a PR to be made upstream to node-forge. I'm currently seeing what needs to be done to fix the root cause, but will also work on a stopgap fix that will unblock @kratoskp sooner (will likely take a couple days).

Linking the original forum post with more context here: https://forums.expo.io/t/getting-error-when-trying-to-build-android/44917/4

That's weird, because I'm using a RSA signed certificate which is also failing.
Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3
When I tried to use an expo cert it worked like a charm.
I'm waiting for your fix to see if something change to me too.