2

我正在做一个银行应用程序,用于使用 HTTPs 为安全目的交互客户端和服务器,因为我必须使用 rest 模板在 android 中添加 SSL pinning。我检查了许多链接以获取 restemplate 代码,但它无法正常工作。这对于 Android 中的 SSL 固定是否正确?我在 Google.Developer.android 找到了这段代码

我已经在我的应用程序中添加了 cert 证书,但是如何与 restemplate 连接:

   CertificateFactory cf = CertificateFactory.getInstance("X.509");

            InputStream is  = ctx.getResources().openRawResource(R.raw.cedgenetbankingin); // Place your 'your_cert.crt' file in `res/raw`

            InputStream caInput = new BufferedInputStream(is);

            Certificate ca;
            try {
                ca = cf.generateCertificate(caInput);
                System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
            } finally {
                caInput.close();
            }

// Create a KeyStore containing our trusted CAs
            String keyStoreType = KeyStore.getDefaultType();
            KeyStore keyStore = KeyStore.getInstance(keyStoreType);
            keyStore.load(null, null);
            keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
            tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), null);

            HostnameVerifier allHostsValid = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    Log.i("JJ","true--");
                    return true;
                }

            };
            HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

注意:添加证书就足够了吗?从原始文件夹中,我添加了 crt 文件。如果我在文件中进行一些更改,我会遇到异常,所以 resttemplate 不会调用。如果文件正确意味着它的工作?

休息模板代码:

  RestTemplate restTemplate = new RestTemplate();
     //   RestTemplate restTemplate = new RestTemplate();
        try {
            restTemplate.getMessageConverters().add(new StringHttpMessageConverter());

            HttpHeaders headers = createHttpHeaders();


            HttpEntity<String> entity = new HttpEntity<>(str_encodedparams, headers);

            ResponseEntity<String> response = restTemplate.postForEntity(url, entity, String.class);

            System.out.println("Result - status (" + response.getStatusCode() + ") has body: " + response.hasBody());
            System.out.println(response.getBody());
            respo = response.getBody();
            System.out.println(respo);


        } catch (Exception eek) {

            eek.printStackTrace();
            System.out.println("** Exception: " + eek.getMessage());
        }
4

1 回答 1

0

将证书锁定应用到 Android 应用程序的最佳方法是针对证书的公钥进行锁定,这允许您在后端轮换证书而无需发布新的移动应用程序版本,考虑到您使用相同的公钥签署新证书钥匙。对于已被泄露的证书,我们通常会提供一个备用密码,以便您有时间发布移动应用程序的新版本。

我写了一篇文章Securing HTTPS with Certificate Pinning on Android,它采用了这种方法并将网络安全配置文件与TrustKit包结合使用:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <!-- Official Android N API -->
    <!--https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html-->
    <domain-config>
        <domain>currency-converter-demo.pdm.approov.io</domain>
        <trust-anchors>
            <!--<certificates src="user" />-->
            <certificates src="system" />
        </trust-anchors>
        <pin-set>
            <!-- Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">qXHiE7hFX2Kj4ZCtnr8u8yffl8w9CTv6kE0U5j0o1XY=</pin>

            <!-- Backup Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=</pin>
        </pin-set>

        <!-- TrustKit Android API -->
        <!-- enforce pinning validation -->
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <!-- Add a reporting URL for pin validation reports -->
            <report-uri>https://report.pdm.approov.io/pinning-violation/report</report-uri>
        </trustkit-config>
    </domain-config>

</network-security-config>

请阅读链接文章以更好地了解所有内容如何组合在一起并查看示例演示。

于 2019-09-20T17:17:30.490 回答