Android：CertPathValidatorException：找不到证书路径的信任锚

Question

I believe I have done everything I should here according to related articles and yet I still get this error. I have created my own CA and signed the server certificates with this CA. On the Android side I have created a custom TrustManager using a custom truststore which has this CA root certificate in it. Using System.setProperty("javax.net.debug", "ssl") on the server side (it doesn't work on the Android side unfortunately even in 4.4) I get a little bit more information. I get past the server hello and the exchange of the secret keys. Then Android gives me the above error (Trust anchor for certification path not found) and on the server side I get javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

I have mirrored the application (client) on my PC and it works.

Is it that Android does not support 2048 keys with SHA512withRSA ? I have no problem with self-signed certificates (1024 and SHA1withRSA); have not tried self-signed certificates with 2048 and SHA512.

Somehow I believe this is a shortcoming of Android that is not documented or hard to find (kind of like System.setProperty("javax.net.debug", "ssl") not working).

I actually implement my own KeyManager and TrustManager and keystores and truststores because eventually I will need mutual TLS ... all working on a PC. Hoped it would be an easy migration to Android.

Here is the Android setup of the Keystores/Truststores (gets the files and loads them)

 LoadFile(getString(R.string.truststore_filename), R.raw.androidtruststore);
 LoadFile(getString(R.string.keystore_filename), R.raw.androidkeystore);
 String basePath = getFilesDir().getAbsolutePath() + "/";
 SecureRawHttpWanSender.setSecureProperties(basePath + getString(R.string.truststore_filename), 
                                                   getString(R.string.truststore_password),
                                                   basePath + getString(R.string.keystore_filename),
                                                   getString(R.string.keystore_password),
                                                   true);

Here is the setting of the TrustManagers etc. done in setSecureProperties() which is also used on the PC. Only the loading of the files is different (PC uses jks and Android uses bks)

    FileInputStream fIS = null;
    try
    {
        // On Android this is "BKS". Otherwise Sun Java is "JKS"
        trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        Manager.log.log(Level.Info, Task.WanSecure, "Type of truststore: " + trustStore.getType());
        fIS = new FileInputStream(trustStoreFileName);
        trustStore.load(fIS, trustStorePassword.toCharArray());
        fIS.close();
        tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(trustStore);
        if(keyStoreFileName != null)
        {
            keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            Manager.log.log(Level.Info, Task.WanSecure, "Type of keystore: " + keyStore.getType());
            fIS = new FileInputStream(keyStoreFileName);
            keyStore.load(fIS, keyStorePassword.toCharArray());
            fIS.close();
            kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmf.init(keyStore, keyStorePassword.toCharArray());
        }
        return true;
    }

Thanks for any help (and the discovery of anything I did that was really stupid!)

Answer 1

I found a solution to the above problem but I don't like it. I may have actually seen it mentioned somewhere else in one of the questions related to this topic. What I did was add to the android truststore the server's certificate that is signed by the CA. So now in my truststore I have TWO certificates for the server, the server's certificate signed by the CA and the CA root certificate.

What I don't like is the inconsistency. On my Windows 7 PC I do not need the server's certificate signed by the CA, it is sufficient to have the CA root. I can understand the need for intermediary certificates IF the server certificate was signed by a CA that perhaps is validated by the root CA in the truststore but that intermediary CA's certificate is not in the truststore. The chain is then broken.

Why I need the server certificate signed by the CA root plus the root CA on Android but only need the root CA on my PC is point of significant confusion. I take it as a typically incomplete implementation of Android. As I am finding out is the case for XML schema validation!