Monday, May 11, 2015

java.security.cert.CertificateException: no trust anchor defined

Or also "Trust anchor for certification path not found "


If you see a "java.security.cert.CertificateException: no trust anchor defined", most likely it means that someone has messed up the Certificate, for instance replacing a trusted CA certificate with a Self-Signed certificate.

you can use "openssl s_client -debug -connect yourhost:yourport" and check for the dreaded "verify error:num=18:self signed certificate"

In case you use an Oracle Wallet to hold certificates, you can do a

orapki wallet display -wallet /path/to/wallet -summary

http://docs.oracle.com/cd/B28359_01/network.111/b28530/asoappf.htm#i636653


Here https://medium.com/@kibotu/handling-custom-ssl-certificates-on-android-and-fixing-sslhandshakeexception-65ffb9dc612e some troubleshooting is suggested

#this to display the server's certificates
openssl s_client -connect myserver.com:443 -showcerts


#to save server cert to pem format
openssl s_client -connect google.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform PEM > googlecert.pem

The JVM trusted CA certs are in $JAVA_HOME/jre/lib/security/cacerts

To add an entry in cacerts:

keytool -import -trustcacerts -keystore cacerts -storepass changeit -alias googleca -import -file googlecert.pem

To examine the content of cacerts , use https://keystore-explorer.org/


To dump all your trustedCA()

import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Arrays;


public class TM {
    public static void main(String[] args) throws Exception {
        TrustManagerFactory factory = TrustManagerFactory.getInstance("X509");
        factory.init((KeyStore) null);
        TrustManager[] tms = factory.getTrustManagers();
        X509TrustManager tm = (X509TrustManager) tms[0];
        X509Certificate[] ai = tm.getAcceptedIssuers();
        Arrays.stream(ai).forEach(item -> System.out.println(item.toString()));
    }
}




Here https://nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/ a dirty trick to trust all certificates:


import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;
 
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
 
public class Example {
    public static void main(String[] args) throws Exception {
        // Create a trust manager that does not validate certificate chains
        TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(X509Certificate[] certs, String authType) {
                }
                public void checkServerTrusted(X509Certificate[] certs, String authType) {
                }
            }
        };
 
        // Install the all-trusting trust manager
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 
        // Create all-trusting host name verifier
        HostnameVerifier allHostsValid = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
 
        // Install the all-trusting host verifier
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
 
        URL url = new URL("https://www.nakov.com:2083/");
        URLConnection con = url.openConnection();
        Reader reader = new InputStreamReader(con.getInputStream());
        while (true) {
            int ch = reader.read();
            if (ch==-1) {
                break;
            }
            System.out.print((char)ch);
        }
    }
}




No comments: