0

我将我的应用程序上传到了 Play 商店,并收到了来自 Google 开发人员的电子邮件,我必须在 https 代码中修改我的句子。我正在使用 TrustManager 函数通过 https 提交数据。我的 url 中有一个有效的 ssl 证书,一切正常。但是我有一个截止日期来修改代码并将 CertificateException 添加到代码中。

谷歌发给我:

信任管理器

您可以在这篇 Google 帮助中心文章中找到有关 TrustManager 的更多信息。

主机名验证器

您的应用正在使用 HostnameVerifier 接口的不安全实现。您可以在这篇 Google 帮助中心文章中找到有关如何解决此问题的更多信息。

这是我的代码:

public class HttpsTrustManager implements X509TrustManager{

    private static TrustManager[] trustManagers;
    private static final X509Certificate[] _AcceptedIssuers = new X509Certificate[]{};
    private X509Certificate[] x509Certificates;

    @Override
    public void checkClientTrusted(

            java.security.cert.X509Certificate[] x509Certificates, String s)
            throws CertificateException {

    }

    @Override
    public void checkServerTrusted(
            java.security.cert.X509Certificate[] x509Certificates, String s)
            throws CertificateException {

    }

    public boolean isClientTrusted(X509Certificate[] chain) {
        return true;
    }

    public boolean isServerTrusted(X509Certificate[] chain) {
        return true;
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return _AcceptedIssuers;
    }

    public static void allowAllSSL() {
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                return true;
            }

        });

        SSLContext context = null;
        if (trustManagers == null) {
            trustManagers = new TrustManager[]{new HttpsTrustManager()};
        }

        try {
            context = SSLContext.getInstance("TLS");
            context.init(null, trustManagers, new SecureRandom());
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        }

        HttpsURLConnection.setDefaultSSLSocketFactory(context
                .getSocketFactory());
    }
}

我希望你能帮助我。谢谢你。

4

1 回答 1

0

在您的代码中,您只需信任一切。这是不安全的。正如谷歌所说,您应该判断证书并引发异常。像这样,

@Override public void checkServerTrusted( java.security.cert.X509Certificate[] x509Certificates, String s) 抛出 CertificateException {

        // do some check here if the x509Certificates not valid just raise an CertificateException exception.

        // this will check the certificate          
        if(!checkTheHostName(x509Certificates[0]){
            throw new CertificateException("the certificate is invalid ...");
        }
}


private boolean checkTheHostName(Certificate certificate,String hostName){
    return OkHostnameVerifier.INSTANCE.verify("www.yourhostname.com",certificate)
}

the OkHostnameVerifier's code, just in 
https://android.googlesource.com/platform/external/okhttp/+/e82a796/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java

和代码

 @Override
            public boolean verify(String hostName, SSLSession session) {
                // here you should check the hostName, through session
                // do not just return true here, cause it's not safe. like man-in-middle-attack
               Certificate[] certificates = session.getPeerCertificates();
               return verify(host, (X509Certificate) certificates[0]);
    
            }
于 2021-01-27T09:19:29.410 回答