68

I am creating an android application which uses https for communication with the server. I am using retrofit and OkHttp for making requests. These works fine for standard http requests. The following are the steps that I followed.

Step 1 : Acquired the cert file from the server using the command

echo -n | openssl s_client -connect api.****.tk:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gtux.cert

Step 2 : Converted the cert to a BKS format by using the following commands

keytool -importcert -v -trustcacerts -file "gtux.cert" -alias imeto_alias -keystore "my_keystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-146.jar" -storetype BKS

It asked me for password and the file was successfully created.

Step 3 :

Create a OkHttpClient and use the same for making https requests

public class MySSLTrust {
public static OkHttpClient trustcert(Context context){
    OkHttpClient okHttpClient = new OkHttpClient();
    try {
        KeyStore ksTrust = KeyStore.getInstance("BKS");
        InputStream instream = context.getResources().openRawResource(R.raw.my_keystore);
        ksTrust.load(instream, "secret".toCharArray());
        // TrustManager decides which certificate authorities to use.
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ksTrust);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, tmf.getTrustManagers(), null);
        okHttpClient.setSslSocketFactory(sslContext.getSocketFactory());
    } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException e) {
        e.printStackTrace();
    }
    return okHttpClient;
}
}

Step 4:

RestAdapter has to be created

RestAdapter.Builder()
.setRequestInterceptor(intercept)
.setEndpoint("https://api.****.tk")
.setClient(new OkClient(this))
.setLogLevel(RestAdapter.LogLevel.FULL)
.setLog(new AndroidLog("RETROFIT"))
.build();

But finally when run the app it is throwing me CertPathValidatorException : Trust anchor for certificate path not found. Please help me to solve this. Thank you.

Other failure attempts : Tried to install the certificate in my Xperia Z2 and it says the file was installed but when i run the app the same exception is thrown.

Error Log Here is the error log that I got on executing...

Error Log

Pasted there so that it will be easy to read..

Gowtham Raj
  • 2,915
  • 1
  • 24
  • 38

9 Answers9

91

DISCLAIMER: this answer is from Jul 2015 and uses Retrofit and OkHttp from that time.
Check this link for more info on Retrofit v2 and this one for the current OkHttp methods.

Okay, I got it working using Android Developers guide.

Just as OP, I'm trying to use Retrofit and OkHttp to connect to a self-signed SSL-enabled server.

Here's the code that got things working (I've removed the try/catch blocks):

public static RestAdapter createAdapter(Context context) {
  // loading CAs from an InputStream
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  InputStream cert = context.getResources().openRawResource(R.raw.my_cert);
  Certificate ca;
  try {
    ca = cf.generateCertificate(cert);
  } finally { cert.close(); }

  // creating a KeyStore containing our trusted CAs
  String keyStoreType = KeyStore.getDefaultType();
  KeyStore keyStore = KeyStore.getInstance(keyStoreType);
  keyStore.load(null, null);
  keyStore.setCertificateEntry("ca", ca);

  // creating a TrustManager that trusts the CAs in our KeyStore
  String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
  tmf.init(keyStore);

  // creating an SSLSocketFactory that uses our TrustManager
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(null, tmf.getTrustManagers(), null);

  // creating an OkHttpClient that uses our SSLSocketFactory
  OkHttpClient okHttpClient = new OkHttpClient();
  okHttpClient.setSslSocketFactory(sslContext.getSocketFactory());

  // creating a RestAdapter that uses this custom client
  return new RestAdapter.Builder()
              .setEndpoint(UrlRepository.API_BASE)
              .setClient(new OkClient(okHttpClient))
              .build();
}

To help in debugging, I also added .setLogLevel(RestAdapter.LogLevel.FULL) to my RestAdapter creation commands and I could see it connecting and getting the response from the server.

All it took was my original .crt file saved in main/res/raw. The .crt file, aka the certificate, is one of the two files created when you create a certificate using openssl. Generally, it is a .crt or .cert file, while the other is a .key file.

Afaik, the .crt file is your public key and the .key file is your private key.

As I can see, you already have a .cert file, which is the same, so try to use it.

PS: For those that read it in the future and only have a .pem file, according to this answer, you only need this to convert one to the other:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

PS²: For those that don't have any file at all, you can use the following command (bash) to extract the public key (aka certificate) from any server:

echo -n | openssl s_client -connect your.server.com:443 | \
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/my_cert.crt

Just replace the your.server.com and the port (if it is not standard HTTPS) and choose a valid path for your output file to be created.

Paulo Avelar
  • 2,140
  • 1
  • 17
  • 31
  • I thought you had a .pem file. Changed the answer to clarify that's not the case. But you do have a .cert file, which should be the same. Try to use it and let me know. :) – Paulo Avelar Jul 15 '15 at 17:29
  • It works with me too. But put the cert file in client side, is it secure enough? – DàChún Sep 01 '15 at 08:15
  • Yes, because that's the **public key**, not the private one. You can fetch that anytime using OpenSSL, and from any server, not only yours. The private key, which is the **. key** file, is only in the server. See https://fdmanana.wordpress.com/2008/07/01/getting-a-servers-certificate-with-openssl/ for more information. – Paulo Avelar Sep 01 '15 at 10:57
  • What's `my_cert`? What if I don't have the certificate? – IgorGanapolsky Oct 23 '15 at 16:26
  • It is the **.crt** file corresponding to the server's public key. If you don't have it, it is easy to get it from the server using OpenSSL. Search for the command that gets the pem file from the server (another certificate format). With the pem in your computer, run the command in my answer to convert it to the .crt file. – Paulo Avelar Oct 23 '15 at 16:52
  • It works only with your one "my_cert", in case if your server work with trusted cert, the validation will be failed. – Kirill Vashilo Jun 28 '16 at 10:07
  • @KirillVashilo Well, yes. But if your server works with a certificate trusted by a valid CA, there is absolutely *no need* for the procedures above. This is, as OP states and I second in my answer, for self-signed certificates. – Paulo Avelar Jun 28 '16 at 13:09
  • @paulo-avelar, I see your opinion, but we need on our project to work with like pre-release server with self-signed cert and than without rebuild of the android app to work with this server when it have been updated with trusted certificate. I'm still in search of solutions.. I have no idea how to get TrustManager with all trusted certificates that installed for the device. – Kirill Vashilo Jun 29 '16 at 18:47
  • @PauloAvelar i couldn't make this code work if the certificate has a the CN as "example.com" Having a certificate with a CN as a domain i always get the error "CertPathValidatorException: Trust anchor for certification path not found." It only seems to work if the CN is set something like the name of the company, but in that case how can the hostname be verified? – Steve Feb 22 '17 at 17:00
  • @Steve, I've had exceptions like that before. It turned out that Android verifies if the provided hostname matches DNS records, so you must provide a valid hostname that can be used to route to the server you are trying to connect. You can either recreate the certificate with a valid hostname/IP or create DNS records for the server. What is the address of the server you are connecting? Why can't the self-signed certificate use it as the hostname? If you are using one certificate for multiple servers, you need more certificates and some code tweaks. – Paulo Avelar Feb 22 '17 at 18:40
  • 1
    @PauloAvelar Thanks for the input! I noticed the problem was that i needed to reboot the wamp server in order to use the new generated cert with the domain name, since i didnt do that the problem was that i was using the new cert in android but wamp was using the cache version of the old one – Steve Feb 22 '17 at 18:46
  • 2
    if okHttpClient.setSslSocketFactory(...) method cannot resolve, you can use okHttpClient= new OkHttpClient.Builder() .sslSocketFactory(new TLSSocketFactory()) .build(); – oguzhan Jun 16 '17 at 14:14
  • This answer is originally from Jul 2015 and so are the libraries. Retrofit and OkHttp changed a lot since and deprecated/removed a lot of methods. I will add a disclaimer to the answer, though. – Paulo Avelar Jun 17 '17 at 15:28
  • R.raw.my_cert is the public key, but what about the private one? Where should I put it? in Insomnia (just like Postman) I have to use them both – Andrei Manolache Feb 25 '21 at 09:42
  • You should *never* ship a private key inside a mobile app, where it can be easily extracted. The validations performed by TLS/SSL require only the server's public key in client-side. – Paulo Avelar Feb 25 '21 at 17:52
  • @PauloAvelar but how would my mobile app decrypt the message if there is no private key provided? When receiving the answer back from the server (let's say a bank server), the answer should be decrypted with my private key, but how if i provide none in the mobile app? – Andrei Manolache Feb 25 '21 at 18:39
  • 1
    This is not how HTTP over TLS works. Clients don't need the private keys of every website they access. Are you sure you are just trying to connect to a self-signed regular HTTP server? Regardless, if a private key is shipped inside an APK, consider it public anyway. It adds virtually no security over regular HTTPS. – Paulo Avelar Feb 26 '21 at 05:50
46

To solve the CertPathValidatorException issue, use the following code copied from https://mobikul.com/android-retrofit-handling-sslhandshakeexception/

 Retrofit retrofit = new Retrofit.Builder()
        .baseUrl(YOUR_BASE_URL)
        .client(getUnsafeOkHttpClient().build())
        .build();


  public static OkHttpClient.Builder getUnsafeOkHttpClient() {

    try {
        // Create a trust manager that does not validate certificate chains
        final TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String
authType) throws CertificateException {
                    }
 
                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String
authType) throws CertificateException {
                    }
 
                    @Override
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return new java.security.cert.X509Certificate[]{};
                    }
                }
        };
 
        // Install the all-trusting trust manager
        final SSLContext sslContext = SSLContext.getInstance("SSL");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
 
        // Create an ssl socket factory with our all-trusting manager
        final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
 
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
        builder.hostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });
        return builder;
    } catch (Exception e) {
        throw new RuntimeException(e);
    } }
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
11

Here is Kotlin version. Okhttp 4.9.0
Thanks you :)

         fun unSafeOkHttpClient() :OkHttpClient.Builder {
            val okHttpClient = OkHttpClient.Builder()
            try {
                // Create a trust manager that does not validate certificate chains
                val trustAllCerts:  Array<TrustManager> = arrayOf(object : X509TrustManager {
                    override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?){}
                    override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {}
                    override fun getAcceptedIssuers(): Array<X509Certificate>  = arrayOf()
                })

                // Install the all-trusting trust manager
                val  sslContext = SSLContext.getInstance("SSL")
                sslContext.init(null, trustAllCerts, SecureRandom())

                // Create an ssl socket factory with our all-trusting manager
                val sslSocketFactory = sslContext.socketFactory
                if (trustAllCerts.isNotEmpty() &&  trustAllCerts.first() is X509TrustManager) {
                    okHttpClient.sslSocketFactory(sslSocketFactory, trustAllCerts.first() as X509TrustManager)
                    okHttpClient.hostnameVerifier {HostnameVerifier { _, _ -> true } }
                }

                return okHttpClient
            } catch (e: Exception) {
                return okHttpClient
            }
        }
linkkader
  • 155
  • 1
  • 9
Hani
  • 140
  • 1
  • 6
10

I don't use Retrofit and for OkHttp here is the only solution for self-signed certificate that worked for me:

  1. Get a certificate from our site like in Gowtham's question and put it into res/raw dir of the project:

    echo -n | openssl s_client -connect elkews.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./res/raw/elkews_cert.crt

  2. Use Paulo answer to set ssl factory (nowadays using OkHttpClient.Builder()) but without RestAdapter creation.

  3. Then add the following solution to fix: SSLPeerUnverifiedException: Hostname not verified

So the end of Paulo's code (after sslContext initialization) that is working for me looks like the following:

...
OkHttpClient.Builder builder = new OkHttpClient.Builder().sslSocketFactory(sslContext.getSocketFactory());
builder.hostnameVerifier(new HostnameVerifier() {
  @Override
  public boolean verify(String hostname, SSLSession session) {
    return "secure.elkews.com".equalsIgnoreCase(hostname);
});
OkHttpClient okHttpClient = builder.build();
Community
  • 1
  • 1
goRGon
  • 4,402
  • 2
  • 43
  • 45
  • 3
    Thanks for complementing the answer. One question though: by only checking the hostname without the SSL session, aren't you susceptible to Man In The Middle attacks? I'm not what other verifications are made, but I recall the one you override being very important. – Paulo Avelar Jun 28 '16 at 13:21
10

Retrofit 2.3.0

    // Load CAs from an InputStream
    CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

    InputStream inputStream = context.getResources().openRawResource(R.raw.ssl_certificate); //(.crt)
    Certificate certificate = certificateFactory.generateCertificate(inputStream);
    inputStream.close();

    // Create a KeyStore containing our trusted CAs
    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(null, null);
    keyStore.setCertificateEntry("ca", certificate);

    // Create a TrustManager that trusts the CAs in our KeyStore.
    String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(tmfAlgorithm);
    trustManagerFactory.init(keyStore);

    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    X509TrustManager x509TrustManager = (X509TrustManager) trustManagers[0];


    // Create an SSLSocketFactory that uses our TrustManager
    SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, new TrustManager[]{x509TrustManager}, null);
    sslSocketFactory = sslContext.getSocketFactory();

    //create Okhttp client
    OkHttpClient client = new OkHttpClient.Builder()
                .sslSocketFactory(sslSocketFactory,x509TrustManager)
                .build();

    Retrofit retrofit = new Retrofit.Builder()
                    .baseUrl(url)
                    .addConverterFactory(GsonConverterFactory.create())
                    .client(client)
                    .build();
Gowsik
  • 1,096
  • 1
  • 12
  • 25
  • I was facing the error on Android API 21 and above. The solution works for me, but without a rebuild of the Android app to work with this server when it has been updated with a new certificate or renewed certificate. – Bhadresh Sep 27 '22 at 10:52
4

You are converting cert into BKS Keystore, why aren't you using .cert directly, from https://developer.android.com/training/articles/security-ssl.html:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream instream = context.getResources().openRawResource(R.raw.gtux_cert);
Certificate ca;
try {
    ca = cf.generateCertificate(instream);
} finally {
    caInput.close();
}

KeyStore kStore = KeyStore.getInstance(KeyStore.getDefaultType());
kStore.load(null, null);
kStore.setCertificateEntry("ca", ca);

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(););
tmf.init(kStore);

SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

okHttpClient.setSslSocketFactory(context.getSocketFactory());
frogatto
  • 28,539
  • 11
  • 83
  • 129
moonzai
  • 429
  • 5
  • 19
  • where should i keep the gtux.cert in my android app... ? – Gowtham Raj Mar 26 '15 at 09:41
  • is there any particular reason why my approach didnt work out.. ? – Gowtham Raj Mar 26 '15 at 10:20
  • @moonzai i couldn't make this code work if the certificate has a the CN as "example.com" Having a certificate with a CN as a domain i always get the error "CertPathValidatorException: Trust anchor for certification path not found." It only seems to work if the CN is set something like the name of the company, but in that case how can the hostname be verified? – Steve Feb 22 '17 at 17:08
  • @Steve There can be multiple reasons, but better to read here on official Google page: https://developer.android.com/training/articles/security-ssl.html#CommonProblems – moonzai Mar 14 '17 at 04:35
3

Implementation in Kotlin : Retrofit 2.3.0

private fun getUnsafeOkHttpClient(mContext: Context) : 
OkHttpClient.Builder? {


var mCertificateFactory : CertificateFactory = 
CertificateFactory.getInstance("X.509")
var mInputStream = mContext.resources.openRawResource(R.raw.cert)
            var mCertificate : Certificate = mCertificateFactory.generateCertificate(mInputStream)
        mInputStream.close()
val mKeyStoreType = KeyStore.getDefaultType()
val mKeyStore = KeyStore.getInstance(mKeyStoreType)
mKeyStore.load(null, null)
mKeyStore.setCertificateEntry("ca", mCertificate)

val mTmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm()
val mTrustManagerFactory = TrustManagerFactory.getInstance(mTmfAlgorithm)
mTrustManagerFactory.init(mKeyStore)

val mTrustManagers = mTrustManagerFactory.trustManagers

val mSslContext = SSLContext.getInstance("SSL")
mSslContext.init(null, mTrustManagers, null)
val mSslSocketFactory = mSslContext.socketFactory

val builder = OkHttpClient.Builder()
builder.sslSocketFactory(mSslSocketFactory, mTrustManagers[0] as X509TrustManager)
builder.hostnameVerifier { _, _ -> true }
return builder

}

Ahamed Mujeeb
  • 615
  • 1
  • 8
  • 13
1

Based on Hani's answer, it's working perfectcly for me. But you need to fix one thing if you get compile error.

Change okHttpClient.hostnameVerifier {HostnameVerifier { _, _ -> true } } to okHttpClient.hostnameVerifier { _, _ -> true }

And the function

fun unSafeOkHttpClient() :OkHttpClient.Builder {
    val okHttpClient = OkHttpClient.Builder()
    try {
        // Create a trust manager that does not validate certificate chains
        val trustAllCerts:  Array<TrustManager> = arrayOf(object : X509TrustManager {
            override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?){}
            override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {}
            override fun getAcceptedIssuers(): Array<X509Certificate>  = arrayOf()
        })

        // Install the all-trusting trust manager
        val  sslContext = SSLContext.getInstance("SSL")
        sslContext.init(null, trustAllCerts, SecureRandom())

        // Create an ssl socket factory with our all-trusting manager
        val sslSocketFactory = sslContext.socketFactory
        if (trustAllCerts.isNotEmpty() &&  trustAllCerts.first() is X509TrustManager) {
            okHttpClient.sslSocketFactory(sslSocketFactory, trustAllCerts.first() as X509TrustManager)
            okHttpClient.hostnameVerifier { _, _ -> true } // change here
        }

        return okHttpClient
    } catch (e: Exception) {
        return okHttpClient
    }
}
KiluSs
  • 421
  • 4
  • 13
0

After a long reserch and digging too deep i found the solution of certificate pinning in android and yes its different from iOS where we need a certificate itself but in android we just need a hash pin and that's it.

How to get hash pin for certificate?

Initially just use a wrong hash pin and your java class will throw an error with correct hash pins or pin chain, just copy and paste into your code thats it.

This solution fixed my problem : https://stackoverflow.com/a/45853669/3448003

Bajrang Hudda
  • 3,028
  • 1
  • 36
  • 63