android java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

1
votes

I am loding a keystore that is required for a https connection am trying to make. However I get the error java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. The method in use is as below:

public  HttpsURLConnection setUpHttpsConnection()
{
    String HttpMessage="";
    int HttpResult=0;
    HttpsURLConnection urlConnection=null;
    try
    {
        Log.i("status","inside method..");

        InputStream caInput = getAssets().open("myapp_key.p12");
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        String pfxPassword = "test123"; // change it to the correct password
        keyStore.load(caInput, pfxPassword.toCharArray());
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);

        TrustManager[] trustManagers = tmf.getTrustManagers();
        final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];

        TrustManager[] wrappedTrustManagers = new TrustManager[]{
                new X509TrustManager() {
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return origTrustmanager.getAcceptedIssuers();
                    }

                    public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                        origTrustmanager.checkClientTrusted(certs, authType);
                    }

                    public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                        try {
                            origTrustmanager.checkServerTrusted(certs, authType);
                        } catch (CertificateExpiredException e) {
                            e.printStackTrace();
                        }
                    }
                }
        };

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, wrappedTrustManagers, null);

        // Tell the URLConnection to use a SocketFactory from our SSLContext
        urlConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        URL url = new URL("https://sandbox.api.visa.com/visadirect/mvisa/v1/merchantpushpayments/");
        urlConnection =(HttpsURLConnection)url.openConnection();
        urlConnection.setDoOutput(true);
        urlConnection.setRequestMethod("POST");
        urlConnection.setRequestProperty("Content-Type", "application/json");
        urlConnection.setRequestProperty("Authorization", "SYZK9LIO98QIQNQ27H6921fgRyt63FHIxrQP76m0hNYT6BZ7I:pB1g5XX3Hw58buPENR03ZM4Vgm7P");
        InputStream in = urlConnection.getInputStream();
       BufferedReader  reader = new BufferedReader(new InputStreamReader(in));
        String res = reader.toString();
        System.out.println(res);




    }catch(SSLHandshakeException he){
        he.printStackTrace();
    }
    catch (Exception ex)
    {
        Log.e("error", "Failed to establish SSL connection to server: " + ex.toString());
        return null;
    }
    return urlConnection;
}

This is the error:

 02-23 14:33:10.641 27643-28086/com.eva.mvisa W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-23 14:33:10.641 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.Connection.upgradeToTls(Connection.java:197)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.Connection.connect(Connection.java:151)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:373)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:323)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:190)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:25)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.eva.mvisa.activities.PayMerchant.setUpHttpsConnection(PayMerchant.java:515)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.eva.mvisa.activities.PayMerchant$PayMerchantAsync.doInBackground(PayMerchant.java:238)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.eva.mvisa.activities.PayMerchant$PayMerchantAsync.doInBackground(PayMerchant.java:170)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at android.os.AsyncTask$2.call(AsyncTask.java:288)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at java.util.concurrent.FutureTask.run(FutureTask.java:237)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at java.lang.Thread.run(Thread.java:818)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:209)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.eva.mvisa.activities.PayMerchant$4.checkServerTrusted(PayMerchant.java:495)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err:  ... 18 more
02-23 14:33:10.651 27643-28086/com.eva.mvisa W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2
androidssl

2 Answers

1
votes

Check the certificate chain. Are all the certs in the chain available, or does one need an extra download?

I had the same message in my app, and noticed my chain was missing the intermediate cert. Once i have put this in my .pem file, my issue was resolved.

Use https://www.ssllabs.com to check your application.

0
votes

I have the same problem in my Retrofit2 project,Solved by the following ways

public static OkHttpClient getUnsafeOkHttpClient() {

    try {
        final TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                    }

                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                    }

                    @Override
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return new java.security.cert.X509Certificate[]{};
                    }
                }
        };

        final SSLContext sslContext = SSLContext.getInstance("SSL");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
        final javax.net.ssl.SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        builder.sslSocketFactory(sslSocketFactory);

        builder.hostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });

        return builder.build();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }

}

then change

OkHttpClient okHttpClient = new OkHttpClient();

to:

OkHttpClient okHttpClient = getUnsafeOkHttpClient();