javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

[Giovanni-94]

Hi @TommyJ1994,
thanks for this template. I changed the file json for my configuration, and I set the Valid Redirect URIs in my keycloak with:
com.feedhenry.securenativeandroidtemplate:/callback.
When I run the template, Android Studio give me this exception:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Can you tell me something?

Thanks in advance

[Allan-Nava]

Hi @TommyJ1994,

I have the same problem, any news?

[tomjackman]

@Giovanni-94 @Allan-Nava Looking 👀

[tomjackman]

Is your Keycloak server running locally/over HTTP? I think this might cause issues as we require HTTPS for performing the authentication (namely for the token exchange).

@Giovanni-94 does this happen on app start, any other errors/stack traces?

[tomjackman]

@Giovanni-94 @Allan-Nava

Actually, I think I know what the issue is. We are performing certificate pinning in our app. You might want to update the URL/pins defined in this file: https://github.com/feedhenry/mobile-security-android-template/blob/master/app/src/main/res/xml/network_security_config.xml

1. Change the host in that file to the hostname of your server.
2. Change the primary pin hash in the file to the one of your server. You can get the pin for a website using the following command:

openssl s_client -servername www.CHANGE-ME.com -connect www.CHANGE-ME.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

[Giovanni-94]

Hi @TommyJ1994 ,

This is the hostname?
<domain includeSubdomains="true">security.feedhenry.org</domain>
https://github.com/feedhenry/mobile-security-android-template/blob/master/app/src/main/res/xml/network_security_config.xml#L4

[tomjackman]

@Giovanni-94 Yes, that's the one.

[Giovanni-94]

Thanks @TommyJ1994,
I did what you told me and now i haven't the exception, but the emulator give me this:

the logcat give me this errors:

02-14 14:56:31.639 25183-25212/com.feedhenry.securenativeandroidtemplate I/cox: javax.net.ssl.SSLHandshakeException: Certificate validation failed for h**********.com
02-14 14:56:31.641 25183-25212/com.feedhenry.securenativeandroidtemplate W/Certificate Pinning: Certificate Pinning Validation Failed
                                                                                                javax.net.ssl.SSLHandshakeException: Certificate validation failed for h**********.com
                                                                                                    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
                                                                                                    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:299)
                                                                                                    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:268)
                                                                                                    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:160)
                                                                                                    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256)
                                                                                                    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134)
                                                                                                    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113)
                                                                                                    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
                                                                                                    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
                                                                                                    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
                                                                                                    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
                                                                                                    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
                                                                                                    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147)
                                                                                                    at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
                                                                                                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
                                                                                                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
                                                                                                    at java.lang.Thread.run(Thread.java:764)
                                                                                                 Caused by: java.security.cert.CertificateException: Certificate validation failed for h********.com
                                                                                                    at com.datatheorem.android.trustkit.pinning.PinningTrustManager.checkServerTrusted(PinningTrustManager.java:150)
                                                                                                    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:201)
                                                                                                    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:399)
                                                                                                    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
                                                                                                    at com.android.org.conscrypt.SslWrapper.doHandshake(SslWrapper.java:374)
                                                                                                    at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:217)
                                                                                                    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:299) 
                                                                                                    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:268) 
                                                                                                    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:160) 
                                                                                                    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) 
                                                                                                    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) 
                                                                                                    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) 
                                                                                                    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) 
                                                                                                    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) 
                                                                                                    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) 
                                                                                                    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) 
                                                                                                    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) 
                                                                                                    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) 
                                                                                                    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147) 
                                                                                                    at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) 
                                                                                                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162) 
                                                                                                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636) 
                                                                                                    at java.lang.Thread.run(Thread.java:764)
``` 

[tomjackman]

@Giovanni-94 Ok so this the certificate pinning is failing. It means that the cert info on the client, doesn't match the one presented by the server.

For your primary pin (https://github.com/feedhenry/mobile-security-android-template/blob/master/app/src/main/res/xml/network_security_config.xml#L7) have you set this value?
ysMO+i9uhkRfGsAe1090FpKW1XWuWlOzIDzVYvrkJJo=

[Giovanni-94]

Yes @TommyJ1994. Below you find the screenshot:

[tomjackman]

@Giovanni-94 Can you double check that the hostname you are getting the pin is actually for the Keycloak server?

You can use https://www.ssllabs.com/ssltest/index.html to easily get the pin. Just enter in the hostname, after a few seconds click the first link to your server, and at the top of the page there will be a PIN-SHA256 specified.

[Giovanni-94]

Thanks a lot @TommyJ1994, I solved my problem

[tomjackman]

Great News @Giovanni-94, I will close this issue now. 🎉

[NmrRaya]

Thanks a lot @TommyJ1994, I solved my problem

how?

[viditbudania]

Thanks a lot @TommyJ1994, I solved my problem

how ???

[Hrushikesh555]

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

[fastepic]

Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Hmmm. Certificates for server checked and correct. tested on hardware android ... How can we solve it ?