如何解决如何在TrustManager中使用CertificateException?
我将应用程序上传到Play商店,并且收到了Google开发人员的电子邮件,我必须修改https代码中的句子。我正在使用TrustManager功能通过https进行数据提交。我的网址中有有效的ssl证书,并且一切正常。但是我有一个修改和在代码中添加CertificateException的截止日期。
Google向我发送邮件:
TrustManager
您可以找到有关TrustManager in this Google Help Center article.
的更多信息。主机名验证程序
您的应用正在使用HostnameVerifier接口的不安全实现。您可以找到有关如何解决问题in this Google Help Center article.
的更多信息这是我的代码:
public class HttpsTrustManager implements x509trustmanager{
private static TrustManager[] trustManagers;
private static final X509Certificate[] _Acceptedissuers = new X509Certificate[]{};
private X509Certificate[] x509Certificates;
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] x509Certificates,String s)
throws CertificateException {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] x509Certificates,String s)
throws CertificateException {
}
public boolean isClientTrusted(X509Certificate[] chain) {
return true;
}
public boolean isServerTrusted(X509Certificate[] chain) {
return true;
}
@Override
public X509Certificate[] getAcceptedissuers() {
return _Acceptedissuers;
}
public static void allowAllSSL() {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0,SSLSession arg1) {
return true;
}
});
SSLContext context = null;
if (trustManagers == null) {
trustManagers = new TrustManager[]{new HttpsTrustManager()};
}
try {
context = SSLContext.getInstance("TLS");
context.init(null,trustManagers,new SecureRandom());
} catch (NoSuchAlgorithmException e) {
e.printstacktrace();
} catch (KeyManagementException e) {
e.printstacktrace();
}
HttpsURLConnection.setDefaultSSLSocketFactory(context
.getSocketFactory());
}
}
希望您能帮助我。谢谢。
解决方法
在你的代码中,你只是信任一切。这是不安全的。 正如谷歌所说,你应该判断证书并引发异常。 像这样,
@覆盖 public void checkServerTrusted( java.security.cert.X509Certificate[] x509Certificates,String s) 抛出 CertificateException {
// do some check here if the x509Certificates not valid just raise an CertificateException exception.
// this will check the certificate
if(!checkTheHostName(x509Certificates[0]){
throw new CertificateException("the certificate is invalid ...");
}
}
private boolean checkTheHostName(Certificate certificate,String hostName){
return OkHostnameVerifier.INSTANCE.verify("www.yourhostname.com",certificate)
}
the OkHostnameVerifier's code,just in
https://android.googlesource.com/platform/external/okhttp/+/e82a796/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
和代码
@Override
public boolean verify(String hostName,SSLSession session) {
// here you should check the hostName,through session
// do not just return true here,cause it's not safe. like man-in-middle-attack
Certificate[] certificates = session.getPeerCertificates();
return verify(host,(X509Certificate) certificates[0]);
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。