1. 技术文章
  2. android https CertPathValidatorException: TrustAnchor found but certificate validation failed

android https CertPathValidatorException: TrustAnchor found but certificate validation failed

ε祈祈猫儿з 提交于 2019-12-13 05:38:08

问题


Does anyone meet the below exception.

It occurs random. After it happened, then https connection cannot be used anymore. The whole application needs to restart.

The scenario : After detailed trace of the code, i updated the scenario:

1. The application has 3 process in the same application.
2. The main ui process invoke https request in another thread.
3. The another 2 processes hold the 2 servcies. one service will also invoke https request in another thread.
4. When user logout, it will stop the 2 services.
3. When user login again, the main ui process invoke https request and then fail.

The code is like below:

URL url = new URL(mUri);
urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setRequestMethod(mMethod);
if (mMethod.equals(HttpPost.METHOD_NAME)) {
    urlConnection.setDoOutput(true);
}
else {
    urlConnection.setDoOutput(false);
}
urlConnection.setDoInput(true);
urlConnection.setUseCaches(false);
urlConnection.setChunkedStreamingMode(0);
...
if (!TextUtils.isEmpty(mJsonContent)) {
    OutputStreamWriter wr = new OutputStreamWriter(urlConnection.getOutputStream());
    wr.write(mJsonContent);
    wr.close();
}
//Get Response
InputStream inputStream;
int statusCode;
statusCode = urlConnection.getResponseCode();
...
inputStream = urlConnection.getInputStream();
String bodyContent = convertStreamToString(inputStream);
inputStream.close();

if (urlConnection != null) {
    urlConnection.disconnect();
}

I would like to know what can be the root cause. Currenlty i have no clue to solve this error. The https connection is run in another thread. After getting response, it will post back to main thread.

W/System.err( 7158): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409)

W/System.err( 7158):    at com.android.okhttp.Connection.upgradeToTls(Connection.java:146)

W/System.err( 7158):    at com.android.okhttp.Connection.connect(Connection.java:107)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:197)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:254)

W/System.err( 7158):    at com.xxxx.xxx.util.http.AsyncHttpsClient$AsyncRequest.run(AsyncHttpsClient.java:304)

W/System.err( 7158):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)

W/System.err( 7158):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)

W/System.err( 7158):    at java.lang.Thread.run(Thread.java:841)

W/System.err( 7158): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:308)

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611)

W/System.err( 7158):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)

W/System.err( 7158):    ... 13 more

W/System.err( 7158): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:122)

W/System.err( 7158):    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:190)

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:295)

W/System.err( 7158):    ... 17 more

W/System.err( 7158): Caused by: com.android.org.bouncycastle.jce.provider.AnnotatedException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:235)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:117)

W/System.err( 7158):    ... 19 more

W/System.err( 7158): Caused by: java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

W/System.err( 7158):    at com.android.org.conscrypt.NativeCrypto.X509_verify(Native Method)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLX509Certificate.verifyOpenSSL(OpenSSLX509Certificate.java:334)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLX509Certificate.verify(OpenSSLX509Certificate.java:367)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1427)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:222)

W/System.err( 7158):    ... 20 more

回答1:


According to other sources like [1,2] you have probably outdated OpenSSL version. Try updating your openSSL version. Minimal version: OpenSSL 0.9.8o

Your BouncyCastle uses OpenSSL com.android.org.conscrypt.OpenSSLX509Certificate.verify to verify the certificate.

The exception java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm means the certificate uses digest that is not handled in the OpenSSL, most probably SHA256.

UPDATE 01: As noted in comments, in Android you cannot update system OpenSSL. Lets experiment:

  • Try visit domain with your code (if possible) which uses SHA-256 certificate (works in 100% cases or not): https://www.fi.muni.cz/

  • Then you can try to discover more details about your client support here: https://www.ssllabs.com/ssltest/viewMyClient.html

  • Then more info about your server (ciphersuites, notice digests): https://www.ssllabs.com/ssltest/index.html

What are your Android and OKHttp versions? Your system uses https://conscrypt.org/ as a crypto provider. You can try to avoid using system bundled OpenSSL & BouncyCastle versions by using a new version of BouncyCastle - SpongyCastle.

Follow instructions here https://rtyley.github.io/spongycastle/ to install SpongyCastle as a new and preferred crypto provider (core, prov, pkix). If SpongyCastle is in effect your stacktrace will contain spongycastle packages.



来源:https://stackoverflow.com/questions/38438993/android-https-certpathvalidatorexception-trustanchor-found-but-certificate-vali

标签
android
https
okhttp
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!