System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

Question

1) I am trying to make HTTPS requests from Android mobile.
So I have created filename.bks file using below command

I have renamed the ssl certificate "load-der.crt" which I received from godaddy to "cert.pem". Then I used this file in below command

keytool -import -alias tomcat -file C:/Users/Masthan/Desktop/BKS/cert.pem -keypass password -keystore C:/Users/Masthan/Desktop/BKS/keystore.bks -storetype BKS -storepass 222222 -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath C:/Users/Masthan/Desktop/BKS/bcprov-ext-jdk15on-1.46.jar

2) Then I have used this bks file in below code

public class MyHttpClient extends DefaultHttpClient {
final Context context;

public MyHttpClient(Context context) {
    this.context = context;
}

@Override
protected ClientConnectionManager createClientConnectionManager() {
    SchemeRegistry registry = new SchemeRegistry();

    registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));

    // Register for port 443 our SSLSocketFactory with our keystore to the ConnectionManager
    registry.register(new Scheme("https", newSslSocketFactory(), 443));
    return new SingleClientConnManager(getParams(), registry);
}

private SSLSocketFactory newSslSocketFactory() {
    try {
        // Get an instance of the Bouncy Castle KeyStore format
        KeyStore trusted = KeyStore.getInstance("BKS");

        // Get the raw resource, which contains the keystore with your trusted certificates (root and any intermediate certs)
        InputStream in = context.getResources().openRawResource(R.raw.keystore);
        try {
            // Initialize the keystore with the provided trusted certificates.
            // Also provide the password of the keystore
            trusted.load(in, "222222".toCharArray());
        } finally {
            in.close();
        }

        // Pass the keystore to the SSLSocketFactory. The factory is responsible for the verification of the server certificate.
        SSLSocketFactory sf = new SSLSocketFactory(trusted);

        // Hostname verification from certificate
        // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
        sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        return sf;
    } catch (Exception e) {
        throw new AssertionError(e);
    }
}}

Then I used above MyHttpsClient class to request to server as below

HttpClient httpClient = new MyHttpClient(getApplicationContext());
HttpPost httpPost = new HttpPost("https://xxxxx.co.in/");
HttpResponse httpResponse = httpClient.execute(httpPost);

3) While executing statement "HttpResponse httpResponse = httpClient.execute(httpPost);"

I got this error:

03-22 15:13:56.178  30079-30173/com.revu.revu W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    03-22 15:13:56.230  30079-30173/com.revu.revu W/System.err﹕ at com.android.org.conscrypt.SSLNullSession.getPeerCertificates(SSLNullSession.java:104)
    03-22 15:13:56.263  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:98)
    03-22 15:13:56.312  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:393)
    03-22 15:13:56.353  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170)
    03-22 15:13:56.388  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
    03-22 15:13:56.426  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
    03-22 15:13:56.469  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:379)
    03-22 15:13:56.508  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:580)
    03-22 15:13:56.545  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:503)
    03-22 15:13:56.583  30079-30173/com.revu.revu W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:481)

Answer 1

// Load CAs from an InputStream
                    // (could be from a resource or ByteArrayInputStream or ...)
                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
                    // From https://www.washington.edu/itconnect/security/ca/load-der.crt
                    AssetManager am = getAssets();
                    InputStream caInput = new BufferedInputStream(am.open("your_cert.crt"));
                    Certificate ca;
                    try {
                        ca = cf.generateCertificate(caInput);
                        System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
                    } finally {
                        caInput.close();
                    }
                // Create a KeyStore containing our trusted CAs
                String keyStoreType = KeyStore.getDefaultType();
                KeyStore keyStore = KeyStore.getInstance(keyStoreType);
                keyStore.load(null, null);
                keyStore.setCertificateEntry("ca", ca);

               TrustManager[] trustManagers = tmf.getTrustManagers();
final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];

TrustManager[] wrappedTrustManagers = new TrustManager[]{
   new X509TrustManager() {
       public java.security.cert.X509Certificate[] getAcceptedIssuers() {
          return origTrustmanager.getAcceptedIssuers();
       }

       public void checkClientTrusted(X509Certificate[] certs, String authType) {
           origTrustmanager.checkClientTrusted(certs, authType);
       }

       public void checkServerTrusted(X509Certificate[] certs, String authType) {
           try {
               origTrustmanager.checkServerTrusted(certs, authType);
           } catch (CertificateExpiredException e) {}
       }
   }
};

SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, wrappedTrustManagers, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 




                // Tell the URLConnection to use a SocketFactory from our SSLContext
                AppLog.LogE(getClass().getName(), "Licensing Url is " + request.toString());
                URL url = new URL(request.toString());
                HttpsURLConnection urlConnection =
                        (HttpsURLConnection)url.openConnection();
                urlConnection.setSSLSocketFactory(context.getSocketFactory());
                InputStream in = urlConnection.getInputStream();
                String line = "";
                BufferedReader rd = new BufferedReader(new InputStreamReader(in));
                while ((line = rd.readLine()) != null) {
                    strResponse += line;
                }

Hope this will help you to achieve your goal.