2

I'm using Google's HTTP Client for Java in my Android app. My server is temporarily using a self-signed certificate while we do QA testing. We'll have a properly signed cert when we release, but for now I just need to ignore the... 

CertPathValidatorException: Trust anchor for certification path not found.

... error message and tell the api to continue processing the http request/response.

I can't find anything in Google's documentation on where I can disable this check. I found several StackOverflow posts for other apis, but not the Google HTTP Client. Any help?

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.UrlEncodedContent;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.Maps;
import com.google.api.client.util.escape.CharEscapers;

...

static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
HttpRequestFactory requestFactory =
                HTTP_TRANSPORT.createRequestFactory(new HttpRequestInitializer() {
                    @Override
                    public void initialize(HttpRequest request) {
                        request.setParser(new JsonObjectParser(JSON_FACTORY));
                        request.setConnectTimeout(defaultTimeoutSeconds()*1000);
                        request.setReadTimeout(defaultTimeoutSeconds()*1000);
                    }
                });
Kenny Wyland
  • 20,844
  • 26
  • 117
  • 229
  • What is "Google's HTTP Client for Java"? Do you mean the `HttpClient` API that is in the Android SDK (and has been discontinued for some time)? Do you mean an independent library offering a more-current version of Apache's HttpClient classes? Do you mean something else? Regardless, on Android 7.0+, you can use network security configuration to teach Android about your self-signed certificate: https://developer.android.com/training/articles/security-config.html – CommonsWare Aug 30 '17 at 23:30
  • I'm using com.google.api.client.http.* found at https://developers.google.com/api-client-library/java/ – Kenny Wyland Aug 30 '17 at 23:54
  • And my QA testers are going to be testing Android 5.0+ so I won't be able to use the 7.0+ solution, but I'll definitely read through that for future knowledge! – Kenny Wyland Aug 30 '17 at 23:56
  • 3
    I know this is a bit late, but they have a method now to not validate certs. so something like this: `NetHttpTransport.Builder builder = new NetHttpTransport.Builder(); builder.doNotValidateCertificate(); builder.setProxy(proxy); requestFactory = builder.build().createRequestFactory();` – mega-crazy May 14 '19 at 16:47

1 Answers1

2

I spent some time crawling through the javadocs for Google's HttpTransport and found my answer indirectly.

Google provides two implementations of HttpTransport: NetHttpTransport and ApacheHttpTransport. The former uses Java's basic HttpURLConnection to do all of the communication and is the preferred choice. The latter uses an Apache httpclient under the covers and the Google HttpTransport docs say to use the Apache one if you need advanced configuration parameters that aren't available in the basic NetHttpTransport.

Instead of initializing my transport constant like this:

static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();

I'm using the ApacheHttpTransport Builder which gives an option to skip the certificate validation.

... new ApacheHttpTransport.Builder().doNotValidateCertificate().build();

NOTE: For anyone coming to this answer later, this is A BAD IDEA. I'm only doing this in a controlled QA environment and for a short period of time while we get our properly signed SSL certificate in place. Once our signed cert is in place, then I'll be going back to the original code above and requiring a properly signed certificate for all of my app's api communication.

DO NOT DO THIS IN PRODUCTION CODE. :)

Kenny Wyland
  • 20,844
  • 26
  • 117
  • 229