在 Android 项目上找不到证书路径的信任锚

Posted 2023-02-22

技术标签:

【中文标题】在 Android 项目上找不到证书路径的信任锚【英文标题】：Trust anchor for certification path not found on Android Project 【发布时间】：2021-10-08 20:17:42 【问题描述】：

我有一个 android 项目，它在我的测试环境中运行良好，带有测试环境证书。现在，我必须将此应用程序连接到客户端的 UAT 环境而不是测试环境。从客户的网站上，我下载了公共证书并将其添加到 Android 应用程序中，并替换了测试环境证书。当我测试应用程序时，出现以下错误。

这个错误是什么意思？是关于服务器端配置的错误吗？我应该将此证书添加到 Android 操作系统的受信任证书中吗？

编辑：从客户网站下载的证书是 CA 证书。不是自签名证书。

W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:236)
W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:367)
W/System.err:     at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:325)
W/System.err:     at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:197)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:249)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:108)
W/System.err:     at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
W/System.err:     at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
W/System.err:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.dxdxdd.intercept(Unknown Source:29)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at xbnvqqyqoxeynry.xxxxdx.intercept(Unknown Source:4)
W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err:     at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
W/System.err:     at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
W/System.err:     at java.lang.Thread.run(Thread.java:764)
W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:654)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:499)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:422)
W/System.err:     at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:343)
W/System.err:     at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
W/System.err:     at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
W/System.err:     at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:426)
W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err:     at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:383)
W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
W/System.err:   ... 24 more
W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err:   ... 35 more

【问题讨论】：

【参考方案1】：

我认为您需要在 res/xml 中创建一个 network_security_config.xml 并且还需要对其进行配置。例如：

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <trust-anchors>
        <certificates src="@raw/certificate_name"/>
        <certificates src="system"/>
    </trust-anchors>
  </base-config>

在此之后，您应该将 network_security_config 添加到 AndroidManifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                ... >
    ...
</application>

欲了解更多信息：https://developer.android.com/training/articles/security-config.html

【讨论】：

以上是关于在 Android 项目上找不到证书路径的信任锚的主要内容，如果未能解决你的问题，请参考以下文章

CertPathValidatorException：找不到证书路径的信任锚 - Retrofit Android

Android java.security.cert.CertPathValidatorException：找不到证书路径的信任锚

CertPathValidatorException：找不到证书路径的信任锚

Android ClassNotFoundException：在路径上找不到类：Dexpathlist

在路径上找不到类：dexpathlist

“CertPathValidatorException：找不到证书路径的信任锚。”使用（a）Smack 4.0.0