Android error in webview.loadUrl() - Trust anchor for certification path not found

Question

I have a webview for load url, but not work.

Look at my code:

public class MainActivity extends AppCompatActivity {    @Override   protected void onCreate(Bundle savedInstanceState) {     super.onCreate(savedInstanceState);     setContentView(R.layout.activity_main);      WebView wv = (WebView) findViewById(R.id.webView);      //Log.d("rudyy", "aqui");     wv.loadUrl("https://tripulanteaims.tam.com.br/wtouch/wtouch.exe/index");     //Log.d("rudyy", "fim");     } } 

When execute this code, android return this error :

Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 

Help-me please.

Answer 1

Create a WebViewClient:

private class WvClient extends WebViewClient  {     @Override     public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError er) {         handler.proceed();          // Ignore SSL certificate errors     } } 

And set the initialized WebViewClient ("WvClient") to your WebView ("wv" in that case):

wv.setWebViewClient(new WvClient()); 

Or in one line:

 wv.setWebViewClient(new WebViewClient() {@Override public void onReceivedSslError(WebView v, SslErrorHandler handler, SslError er){ handler.proceed(); }}); 

Answer 2

I was dealing with this and quite frankly allowing MITM attacks is a no-no. Here is a cleaner solution that supports pinning. Save the certificate into your raw resource folder.
NOTE: Sadly, SSLError gives us an SslCertificate when you call getCertificate(). SslCertificate is kind of useless. It's public API doesn't allow you to verify the public key, only the created on, expired date, issued to, issued by. However, if you open up this class you will see an X509Certificate member variable that is un-exposed. IDK why this design decision was taken. But there is an API for getting the Bundle, and that X509 Certificate member variable gets stored in there. So we access it that way, because the Certificate has a lot more useful methods on it.

@Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {     SslCertificate sslCertificateServer = error.getCertificate();     Certificate pinnedCert = getCertificateForRawResource(R.raw.your_cert, mContext);     Certificate serverCert = convertSSLCertificateToCertificate(sslCertificateServer);      if(pinnedCert.equals(serverCert)) {         handler.proceed();     } else {         super.onReceivedSslError(view, handler, error);     } }  public static Certificate getCertificateForRawResource(int resourceId, Context context) {     CertificateFactory cf = null;     Certificate ca = null;     Resources resources = context.getResources();     InputStream caInput = resources.openRawResource(resourceId);      try {         cf = CertificateFactory.getInstance("X.509");         ca = cf.generateCertificate(caInput);     } catch (CertificateException e) {         Log.e(TAG, "exception", e);     } finally {         try {             caInput.close();         } catch (IOException e) {             Log.e(TAG, "exception", e);         }     }      return ca; }  public static Certificate convertSSLCertificateToCertificate(SslCertificate sslCertificate) {     CertificateFactory cf = null;     Certificate certificate = null;     Bundle bundle = sslCertificate.saveState(sslCertificate);     byte[] bytes = bundle.getByteArray("x509-certificate");      if (bytes != null) {         try {             CertificateFactory certFactory = CertificateFactory.getInstance("X.509");             Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));             certificate = cert;         } catch (CertificateException e) {             Log.e(TAG, "exception", e);         }     }      return certificate; }