certificatePinner 无法使用 okhttp 抛出 SSLHandshakeException：CertPathValidatorException 未找到证书路径的信任锚

Posted 2023-02-24

【中文标题】certificatePinner 无法使用 okhttp 抛出 SSLHandshakeException：CertPathValidatorException 未找到证书路径的信任锚

【英文标题】：certificatePinner not working with okhttp throwing SSLHandshakeException: CertPathValidatorException Trust anchor for certification path not found

【发布时间】：2019-05-09 18:44:40

【问题描述】：

我已从Square's own github Readme:获取代码

 @Throws(Exception::class)
 fun run() 
      val client = OkHttpClient.Builder()
                .certificatePinner(CertificatePinner.Builder()
                          .add("api.somewebsite.nl", "sha256/SOME_KEY/SOME_KEY")
                          .build())
                .build()

      val request = Request.Builder()
                .url("https://api.somewebsite.nl")
                .build()

      try 
           val response = client.newCall(request).execute()
           if (!response.isSuccessful) 
                Log.i("TestCode","is Not Successful")
                throw IOException("Unexpected code $response")
            else 
                Log.i("TestCode","is Successful")
           

           for (certificate in response.handshake()!!.peerCertificates()) 
                println(CertificatePinner.pin(certificate))
           

       catch (e: SSLHandshakeException) 
           e.printStackTrace()
      
 

当使用 Chrome 访问该网站时，它可以正常工作，表明该应用在特定手机上具有 Comodo CA 证书。对于 SHA256 引脚值，我选择了to this site。 this excellent walkthrough也提到了这个网站。

我使用了最新版本的库：

implementation "com.squareup.retrofit2:retrofit:2.5.0"
implementation "com.squareup.retrofit2:converter-moshi:2.5.0"
implementation "com.squareup.okhttp3:okhttp:3.14.1"

这里是日志：

 E/Conscrypt: ------------------Untrusted chain: ----------------------
 E/Conscrypt: == Chain0 == 
     Version:   3
 E/Conscrypt:  Serial Number:   serial_number
 E/Conscrypt:  SubjectDN:   CN=*.somewebsite.nl, OU=PremiumSSL Wildcard, OU=IT, O=somewebsite B.V., STREET=some_street, L=SomeCity, ST=SomeCity, OID.2.5.4.17=POSTAL_CODE, C=NL
 E/Conscrypt:  IssuerDN:   CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
 E/Conscrypt:  Get not before:   Mon May 06 02:00:00 GMT+02:00 2019
 E/Conscrypt:  Get not after:   Mon Jul 05 01:59:59 GMT+02:00 2021
 E/Conscrypt:  Sig ALG name:   SHA256withRSA
 E/Conscrypt:  Signature:   SOME_SIGNATURE
 E/Conscrypt:  Public key:

 W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
 W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
 W/System.err:     at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
 W/System.err:     at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:107)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:87)
 W/System.err:     at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
 W/System.err:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
 W/System.err:     at okhttp3.RealCall.execute(RealCall.java:81)

【问题讨论】：

你找到解决办法了吗？

你找到解决方案了吗@jim clermonts

【参考方案1】：

尝试修改 OkHttpClient.Builder 对象：见this解决方案

【讨论】：

该人正在尝试固定证书，但您建议禁用证书检查o_O