Question

我试图建立与HTTPS网站的连接，但我得到了这个例外：javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found。
我的原始代码如下：

URL url = new URL("https://example.com");
            HttpsURLConnection urlConnection =
                (HttpsURLConnection)url.openConnection();
            in = urlConnection.getInputStream();
            byte[] responsedata = CommonUtil.readInputStream(in);
            Log.w(TAG, "response is "+CommonUtil.convertBytesToHexString(responsedata));

然后，我阅读了Google的文章here并将我的代码修改为：

CertificateFactory cf;
        try {
            cf = CertificateFactory.getInstance("X.509");
            InputStream in = this.mContext.getResources().openRawResource(R.raw.cert);
            Certificate ca;
            ca = cf.generateCertificate(in);
                System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
                in.close();
                URL url = new URL("https://example.com");
                HttpsURLConnection urlConnection =
                (HttpsURLConnection)url.openConnection();
                in = urlConnection.getInputStream();
                byte[] responsedata = CommonUtil.readInputStream(in);
            Log.w(TAG, "response is "+CommonUtil.convertBytesToHexString(responsedata));
            in.close();

关于R.raw.cert文件，我使用this site来检查网站的证书。我找到了3个cetificates，我不知道使用哪个。我一个接一个地试了一下一个名称＆＃34; VeriSign Class 3公共主要证书颁发机构 - G5＆＃34;导致以下例外情况：

01-17 17:46:54.759: E/Process(8764): java.security.cert.CertificateException: org.apache.harmony.xnet.provider.jsse.OpenSSLX509CertificateFactory$ParsingException: org.apache.harmony.xnet.provider.jsse.OpenSSLX509CertificateFactory$ParsingException: java.lang.RuntimeException: error:0906D06C:PEM routines:PEM_read_bio:no start line

当我使用名为＆＃34; VeriSign Class 3安全服务器CA-G3＆＃34;或名称为＆＃34; example.com＆＃34; （与网站名称相同）我得到了相同的SSLHandshakeException。

我需要做什么？

与此同时，Symatec SSL Toolbox向我显示了错误和1条建议，我不明白：

Intermediate certificate missing.
VeriSign Class 3 Secure Server CA - G3

Update your certificate chain.
Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate

为该网站找到的3个证书如下：
example.com ：

VeriSign Class 3安全服务器CA - G3

VeriSign Class 3公共主要证书颁发机构 - G5 ：

Answer 1

<强>更新
- 我从来就不是这方面的专家，以下只是一种解决方法，可能不安全，使用风险自负 - 这篇文章已有3年以上的历史，所以它现在可能已经过时了（代码无法编译），但您应该能够找到更新的方法或官方文档，说某些部分已被弃用或删除

感谢noloader将我指向修正方向。我使用以下方法解决了我的问题：

String keyStoreType = KeyStore.getDefaultType();
            KeyStore keyStore = KeyStore.getInstance(keyStoreType);
            keyStore.load(null, null);
            keyStore.setCertificateEntry("ca", ca);// my question shows how to get 'ca'
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
// Initialise the TMF as you normally would, for example:
tmf.init(ca); 

TrustManager[] trustManagers = tmf.getTrustManagers();
final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];

TrustManager[] wrappedTrustManagers = new TrustManager[]{
   new X509TrustManager() {
       public java.security.cert.X509Certificate[] getAcceptedIssuers() {
          return origTrustmanager.getAcceptedIssuers();
       }

       public void checkClientTrusted(X509Certificate[] certs, String authType) {
           origTrustmanager.checkClientTrusted(certs, authType);
       }

       public void checkServerTrusted(X509Certificate[] certs, String authType) {
           try {
               origTrustmanager.checkServerTrusted(certs, authType);
           } catch (CertificateExpiredException e) {}
       }
   }
};

SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, wrappedTrustManagers, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

在我的问题中提到的为该网站找到的3个证书中，对我有用的证书是 VeriSign Class 3安全服务器CA - G3

Answer 2

在我的情况下，我在本地主机上的Https上运行我的服务器，我必须切换到http，并且该服务器正常工作，也许服务器的ssl证书不受Android设备信任

SSLHandshakeException未找到Android HTTPS的证书路径的信任锚

2 个答案: