MTLS for companion app

Hello everyone,

I recently exposed H.A. through Cloudflare tunnels and MTLS (ECC), it works just fine from the Android’s application, using a client certificate.

I expected to be able to do the same for my watch (Xiaomi Watch 2 Pro), because of Add Wear OS TLS client certificate authentication (TLS CCA) support.

But it fails with “Could not register watch” and logs say:

04-14 22:34:24.515 15199 15199 E SettingsWearViewModel: Watch was unable to register: exception decrypting data - 1.2.840.113549.1.5.12 SecretKeyFactory not available

Here’s what openssl says about the certificate:

PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Has anyone succeeded in doing so on a Xiaomi watch, and is there something I could be doing wrong ?

Thank you

The OID (1.2.840.113549.1.5.12) referenced in the error message appears to be: id-PBKDF2, which suggests that algorithm might just not be supported? The Android docs list what should be supported at each API level. They claim that PBKDF2withHmacSHA256 is supported on API levels 26+ (which I think that device should have), but don’t mention PBES2 at all. :thinking:

You might try re-exporting the certificate with a different (older) PBE algorithm? (Such as via openssl’s -legacy option.)

In any case, I suspect this has more to do with the device and the certificate, than the app, specifically.

1 Like

Well, this did the trick. I wasn’t even aware of this flag!

Thanks a bunch