Android 2.3.x javax.net.ssl.SSLHandshakeException : java. security.cert.CertPathValidatorException:找不到证书路径的信任 anchor

Question

我仅在(可能是某些)2.3.x 设备上收到此错误。它适用于运行高于该版本的 Android 版本的任何其他设备。

这是我的 HTTPRequestController:

public class HttpRequestController {

private final static String TAG = "HttpRequestController";

private static HttpRequestController instance;

public enum Method {
    PUT, POST, DELETE, GET
}

private HttpRequestController() {

}

public static HttpRequestController getInstance() {
    if (instance == null)
        instance = new HttpRequestController();

    return instance;
}

public String doRequest(String url, HashMap<Object, Object> data,
        Method method, String token) throws Exception {

    InputStream certificateInputStream = null;
    if (MyApplication.PRODUCTION) {
        certificateInputStream = MyApplication.context
                .getResources().openRawResource(R.raw.production_cert);
        LogUtils.log("using production SSL certificate");
    } else {
        certificateInputStream = MyApplication.context
                .getResources().openRawResource(R.raw.staging_cert);
        LogUtils.log("using staging SSL certificate");
    }

    KeyStore trustStore = KeyStore.getInstance("BKS");
    try{
    trustStore.load(certificateInputStream,
            "re3d6Exe5HBsdskad8efj8CxZwv".toCharArray());
    } finally {
        certificateInputStream.close();
    }


    TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
    tmf.init(trustStore);
    LogUtils.log("SSL: did init TrustManagerFactory with trust keyStore");
    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, tmf.getTrustManagers(), null);
    LogUtils.log("SSL: did init context with trust keyStore");  


    URL request = new URL(url);
    HttpsURLConnection urlConnection = (HttpsURLConnection) request
            .openConnection();

    LogUtils.log("SSL: did open HttpsURLConnection");   

    urlConnection.setHostnameVerifier(new StrictHostnameVerifier());
    urlConnection.setSSLSocketFactory(context.getSocketFactory());
    urlConnection.setConnectTimeout(15000);
    LogUtils.log("SSL: did set Factory and Timeout.");

    if (method != Method.GET){
        urlConnection.setDoOutput(true);
    }
        urlConnection.setDoInput(true);
        urlConnection.setRequestProperty("Content-Type", "application/json");
        urlConnection.setRequestProperty("Accept", "application/json");

    LogUtils.log("SSL: urlConnection did set request properties.");

    if (token != null) {
        urlConnection.setRequestProperty("Authorization", "Token " + token);
    }
        urlConnection.setRequestMethod(method.toString());
        urlConnection.connect();

        LogUtils.log("SSL: urlConnection did connect.");

    if (method != Method.GET) {
        ObjectMapper mapper = new ObjectMapper();
        String jsonValue = mapper.writeValueAsString(data);
        OutputStream os = urlConnection.getOutputStream();
        os.write(jsonValue.getBytes());
        os.flush();
        LogUtils.log(TAG, "Params: " + jsonValue);
    }

    LogUtils.log(TAG, method.toString() + ": " + url);

    InputStream in = null;
    if (urlConnection.getResponseCode() == 200) {
        in = urlConnection.getInputStream();
    } else {
        in = urlConnection.getErrorStream();
    }
    String response = convertStreamToString(in);

    LogUtils.log(TAG, "Got response : " + url);
    LogUtils.log(TAG, "Response : " + response);

    return response;
}

public String convertStreamToString(InputStream inputStream) {
    BufferedReader buffReader = new BufferedReader(new InputStreamReader(
            inputStream));
    StringBuilder stringBuilder = new StringBuilder();

    String line = null;
    try {
        while ((line = buffReader.readLine()) != null) {
            stringBuilder.append(line + "\n");
        }
    } catch (IOException e) {
        e.printStackTrace();
    } finally {
        try {
            inputStream.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    return stringBuilder.toString();
}

public HttpClient retrieveHttpClient() {
    return new MyHttpClient(MyApplication.context);
}

当我运行命令时:

openssl s_client -debug -connect www.mysitedomain.com:443

我收到回复:

--
some key stuff 
--
Certificate chain
 0 s:/OU=Domain Control Validated/CN=www.mydomainname.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
 some more certificate stuff
-----END CERTIFICATE-----

ubject=/OU=Domain Control Validated/CN=www.mydomainname.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4091 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 57C379C59483809A7FE1BF8E235C5BFA7789E62AAEBCA9BC14B5273F5D1304E7
    Session-ID-ctx: 
    Master-Key: 6FCD498D1294415A42B57420F0C05AB903EF8E56CB6F1530390F73AF5E4CBC22B359D5CDA09811E075A5C598002C380D
    Key-Arg   : None
    Start Time: 1390473282
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

所以它返回正常...但对于我测试的 2.3.x 设备，它仍然给我这个错误。

在这之后我得到一个异常:

LogUtils.log("SSL: urlConnection did set request properties.");

异常(exception)情况:

01-23 10:20:28.459: W/System.err(1623): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:477)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.luni.internal.net.www.protocol.http.HttpConnection.setupSecureSocket(HttpConnection.java:185)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:433)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeConnection(HttpsURLConnectionImpl.java:378)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:205)
01-23 10:20:28.459: W/System.err(1623):     at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:152)

我是这样调用它的:

String response = HttpRequestController
                            .getInstance()
                            .doRequest(ApiUrls.LOGIN, params, Method.POST, null);

它适用于运行 Android 2.3.x 以上版本的任何其他设备(根据我的测试)。

Android 文档似乎没有写任何关于 2.3 兼容性的内容。

Answer 1

您必须告诉 Android 系统信任您的证书。你的问题是Android 2.3之后接受你的证书，因为它包含在受信任的证书列表中，但在以前的版本中不包含，所以，有问题。

我建议您在 Android documentation 上这样做:

// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
}

// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
    (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);

我也在做同样的事情，它在所有设备上都能正常工作，Android 2.3 及以下版本，我网站的证书是私有(private)的。

试试吧，然后告诉我它现在是否有效。

希望对你有帮助!