如何解决接口X509TrustManager的不安全实现-Google Play
当我尝试将应用程序上传到Google Play时,我收到一条消息。 “接口x509trustmanager的不安全实现”。在来自Google Play的消息中说:
为避免在验证SSL证书时出现问题,请更改代码 x509trustmanager接口中的checkServerTrusted方法的示例 在以下情况时抛出CertificateException或IllegalArgumentException 它会检测可疑证书。
我找到的所有选项都使用checkValidity方法来验证证书,但Google还会添加:
请勿使用checkValidity验证服务器的证书。这个 方法检查证书的有效性,而不是其安全性。
如何正确更改checkServerTrusted方法的代码?我当前的x509trustmanager实现:
x509trustmanager trustManager = new x509trustmanager() {
@Override
public X509Certificate[] getAcceptedissuers() {
X509Certificate[] cArrr = new X509Certificate[0];
return cArrr;
}
@Override
public void checkServerTrusted(final X509Certificate[] chain,final String authType) throws CertificateException {
try {
chain[0].checkValidity();
} catch (Exception e) {
throw new CertificateException("Certificate not valid or trusted.");
}
}
@Override
public void checkClientTrusted(final X509Certificate[] chain,final String authType) throws CertificateException {
}
};
解决方法
我以前有这个错误。就我而言,这就是解决问题的方法:
private boolean isVerified;
@SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(X509Certificate[] certs,String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certs,String authType) {
}
}};
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null,trustAllCerts,new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(final String host,final SSLSession session) {
System.out.print("host" + host+ "\n");
isVerified = host.equalsIgnoreCase(Constants.hostNameVerifierString)
|| host.contains("google") || host.contains("gstatic");
System.out.print(isVerified);
return isVerified;
}
});
} catch (Exception ignored) {
}
}
在进行网络通话的活动中,可以调用handleSSLHandshake()
方法。或者,如果您使用Dagger或任何依赖项注入库,则应该可以将其注入到要创建网络调用的任何位置。
Constants.hostNameVerifierString
是我用于网络通话的URL,添加了“ google”和“ gstatic”,因为我也使用了Google地图。
我以这种方式更改了X509TrustManager的实现,并且该应用通过了Google Play验证:
TrustManager[] victimizedManager = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] myTrustedAnchors = new X509Certificate[0];
return myTrustedAnchors;
}
@Override
public void checkClientTrusted(X509Certificate[] certs,String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException {
if(chain == null || chain.length == 0)throw new IllegalArgumentException("Certificate is null or empty");
if(authType == null || authType.length() == 0) throw new IllegalArgumentException("Authtype is null or empty");
if(!authType.equalsIgnoreCase("ECDHE_RSA") &&
!authType.equalsIgnoreCase("ECDHE_ECDSA") &&
!authType.equalsIgnoreCase("RSA") &&
!authType.equalsIgnoreCase("ECDSA")) throw new CertificateException("Certificate is not trust");
try {
chain[0].checkValidity();
} catch (Exception e) {
throw new CertificateException("Certificate is not valid or trusted");
}
}
}
};
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。