search cancel

Login failed with /auth/oauth/v2/token route with MAG SDK 2.0 and 2.1 and Android 10 and Android 11

book

Article ID: 228531

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Here are the versions that we had problems during the migration

Version of Gateway v10 – CR04 (Problem observed in CR03 and also after applying CR04)

OTK Version 4.4.1

Version MAG 4.2.1

Problem :

Login failed when consuming /auth/oauth/v2/token route with MAG SDK 2.0 and 2.1 and Android 10 and 11.

NOTE: For Android minor versions and any iPhone version works without problems.

Error caught in Android DEBUG (full log attached):

2021-10-28 19:12:27.172 29981-30213/? E/MAS: com.ca.mas.core.oauth.OAuthException: Unable to post to https://apip.domain.com:8443/auth/oauth/v2/token: Handshake failed

com.ca.mas.core.oauth.OAuthException: com.ca.mas.core.oauth.OAuthException: Unable to post to https://apip.domain.com:8443/auth/oauth/v2/token: Handshake failed

Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb8f02818: Failure in SSL library, usually a protocol error

error:04000044:RSA routines:OPENSSL_internal:internal error (external/conscrypt/common/src/jni/main/cpp/conscrypt/native_crypto.cc:740 0xd07a8543:0x00000000)

Gateway logs: https://getep-share-files.s3.amazonaws.com/logs-broadcom.tar.gz

Below are some links identified for the same error we had:

 

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewquestion?ContributedContentKey=ad0757d9-ad6b-4a37-8592-e2ca9a479d50&CommunityKey=0f580f5f-30a4-41de-a7533c-af21185f 4090-918f-724aa6a810aa

https://github.com/CAAPIM/Android-MAS-SDK/pull/392

https://githubmemory.com/repo/google/conscrypt/issues/718

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/release-notes/deprecated-features-and-support.html

 

 

Cause

Ref : DE508974

After Gateway 10 CR03, RSA-PSS support has been added in the Gateway but for Android 10 and above, we have missed it in our SDK. We need to enable ENCRYPTION_PADDING_NONE to support the same for Android 10 and above.

Apart from that, Android SDK 29 and above has started supporting TLS 1.3. As our gateway has the support for TLS 1.3, MAS SDK does not have that. So we enhanced it to support the TLS 1.3 protocol.

For the devices which are running below Android SDK 29(means Android 9 or below devices), they don't support TLS 1.3. In that case, we should enable TLS 1.2 and TLS 1.3 both on the gateway.

It basically add the support for ENCRYPTION_PADDING_NONE

.setEncryptionPaddings(ENCRYPTION_PADDING_PKCS7, ENCRYPTION_PADDING_RSA_OAEP, ENCRYPTION_PADDING_RSA_PKCS1, ENCRYPTION_PADDING_NONE)

Environment

Release : 10.1

Component : API GATEWAY

Resolution

Fix provided (DE520331)

mas-foundation-2.1.00-47.aar

mas-storage-2.1.00-47.aar

These two generated from the same branch and has the same fix.

- you  can add the mas storage in the lib folder as well and use.