Unable to forward SMS using self-signed certificates, java.security.cert.CertPathValidatorException

[arzam16]

Steps to reproduce:

1. Generate new Root CA and self-signed endpoint certificates on the server (no domains are used, the endpoint is supposed to be accessed via its IP address)
2. Import 2 new certificates using Android's System Settings
3. In Deku, add a new Gateway server https://x:y/endpoint where x is the IP address (not the domain) and y is the port of the endpoint.
4. Receive an SMS, wait for it to get queued
5. Watch the message getting stuck in the queue forever:

02-11 01:24:28.879  8051  8213 D com.afkanerd.deku.Router.Router.RouterHandler: Request to router: {
[snip]
02-11 01:24:28.879  8051  8213 D com.afkanerd.deku.Router.Router.RouterHandler: }
02-11 01:24:28.955  8051  8213 W System.err: java.util.concurrent.ExecutionException: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.toolbox.RequestFuture.doGet(RequestFuture.java:124)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.toolbox.RequestFuture.get(RequestFuture.java:97)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.afkanerd.deku.Router.Router.RouterHandler.routeJsonMessages(RouterHandler.java:68)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.afkanerd.deku.Router.Router.RouterWorkManager.doWork(RouterWorkManager.java:31)
02-11 01:24:28.956  8051  8213 W System.err: 	at androidx.work.Worker$1.run(Worker.java:82)
02-11 01:24:28.956  8051  8213 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
02-11 01:24:28.956  8051  8213 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
02-11 01:24:28.956  8051  8213 W System.err: 	at java.lang.Thread.run(Thread.java:923)
02-11 01:24:28.956  8051  8213 W System.err: Caused by: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
02-11 01:24:28.956  8051  8213 W System.err: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
02-11 01:24:28.956  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:849)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:722)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:217)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:131)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:262)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:219)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:30)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.HurlStack.createOutputStream(HurlStack.java:319)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.HurlStack.addBody(HurlStack.java:301)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.HurlStack.addBodyIfExists(HurlStack.java:285)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.HurlStack.setConnectionParametersForRequest(HurlStack.java:257)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.HurlStack.executeRequest(HurlStack.java:89)
02-11 01:24:28.957  8051  8213 W System.err: 	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
02-11 01:24:28.957  8051  8213 W System.err: 	... 3 more
02-11 01:24:28.958  8051  8213 W System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:356)
02-11 01:24:28.958  8051  8213 W System.err: 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
02-11 01:24:28.958  8051  8213 W System.err: 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:161)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
02-11 01:24:28.958  8051  8213 W System.err: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
02-11 01:24:28.958  8051  8213 W System.err: 	... 29 more
02-11 01:24:28.958  8051  8213 W System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
02-11 01:24:28.958  8051  8213 W System.err: 	... 43 more

Would be cool to have some "ignore all this SSL bullshit and continue as is" toggle in Deku.

[arzam16]

What's interesting is that adding

            <certificates src="user" />

to <trust-anchors> in network_security_config.xml doesn't help at all while it should have worked because I've got my own Root CA already imported, and the certificate I use for the Gateway Server has been issued by this very CA. Nevertheless, I've been getting the same error as above.

I've "solved" this issue by following this SO answer. Yes I had to install Android Studio and rebuild Deku from source but it's better than nothing atm, I guess.

[sherlockwisdom]

I'd accept a PR for

Would be cool to have some "ignore all this SSL bullshit and continue as is" toggle in Deku.