不安全的X509TrustManager接口实现 – Google Play

huangapple go评论77阅读模式
英文:

Unsafe implementation of the interface X509TrustManager - Google Play

问题

当我尝试将应用上传到Google Play时,我收到一条消息。消息内容是:“不安全实现x509trustmanager接口”。在Google Play的消息中写道:

为了在验证SSL证书时避免问题,请更改X509TrustManager接口中checkServerTrusted方法的代码,以便在检测到可疑证书时抛出CertificateException或IllegalArgumentException。

我找到的所有选项都使用checkValidity方法来验证证书,但Google还补充说:

不要使用checkValidity来验证服务器的证书。此方法检查证书的有效性,而不是其安全性。

我应该如何正确地更改checkServerTrusted方法的代码?我目前的x509TrustManager实现如下:

X509TrustManager trustManager = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] cArrr = new X509Certificate[0];
        return cArrr;
    }

    @Override
    public void checkServerTrusted(final X509Certificate[] chain,
                                   final String authType) throws CertificateException {
        try {
            chain[0].checkValidity();
        } catch (Exception e) {
            throw new CertificateException("Certificate not valid or trusted.");
        }
    }

    @Override
    public void checkClientTrusted(final X509Certificate[] chain,
                                   final String authType) throws CertificateException {
    }
};
英文:

When I try to upload an application to google play, I get a message. "Unsafe implementation of the interface x509trustmanager". In a message from Google Play it says:

> To avoid problems when validating the SSL certificate, change the code
> of the checkServerTrusted method in the X509TrustManager interface so
> that a CertificateException or IllegalArgumentException is thrown when
> it detects suspicious certificates.

All the options I've found use the checkValidity method to validate the certificate but Google also adds:

> Do not use checkValidity to validate the server's certificate. This
> method checks the validity of the certificate, not its security.

How can I change the code of the checkServerTrusted method correctly? My current implementation of x509TrustManager:

X509TrustManager trustManager = new X509TrustManager() {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
            X509Certificate[] cArrr = new X509Certificate[0];
            return cArrr;
        }

        @Override
        public void checkServerTrusted(final X509Certificate[] chain,
                                       final String authType) throws CertificateException {
            try {
                chain[0].checkValidity();
            } catch (Exception e) {
                throw new CertificateException("Certificate not valid or trusted.");
            }
        }

        @Override
        public void checkClientTrusted(final X509Certificate[] chain,
                                       final String authType) throws CertificateException {
        }
    };

答案1

得分: 2

// 修改了 X509TrustManager 的实现方式,使应用通过了 Google Play 的验证:

TrustManager[] victimizedManager = {

    new X509TrustManager() {

        public X509Certificate[] getAcceptedIssuers() {

            X509Certificate[] myTrustedAnchors = new X509Certificate[0];

            return myTrustedAnchors;
        }

        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            if (chain == null || chain.length == 0) throw new IllegalArgumentException("证书为空或者为空");
            if (authType == null || authType.length() == 0) throw new IllegalArgumentException("认证类型为空或者为空");
            if (!authType.equalsIgnoreCase("ECDHE_RSA") &&
                !authType.equalsIgnoreCase("ECDHE_ECDSA") &&
                !authType.equalsIgnoreCase("RSA") &&
                !authType.equalsIgnoreCase("ECDSA")) throw new CertificateException("证书不被信任");
            try {
                chain[0].checkValidity();
            } catch (Exception e) {
                throw new CertificateException("证书无效或不被信任");
            }
        }
    }
};
英文:

I changed the X509TrustManager implementation this way and the app passed Google Play verification:

TrustManager[] victimizedManager = new TrustManager[]{

                new X509TrustManager() {

                    public X509Certificate[] getAcceptedIssuers() {

                        X509Certificate[] myTrustedAnchors = new X509Certificate[0];

                        return myTrustedAnchors;
                    }

                    @Override
                    public void checkClientTrusted(X509Certificate[] certs, String authType) {
                    }

                    @Override
                    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        if(chain == null || chain.length == 0)throw new IllegalArgumentException("Certificate is null or empty");
                        if(authType == null || authType.length() == 0) throw new IllegalArgumentException("Authtype is null or empty");
                        if(!authType.equalsIgnoreCase("ECDHE_RSA") &&
                                !authType.equalsIgnoreCase("ECDHE_ECDSA") &&
                                !authType.equalsIgnoreCase("RSA") &&
                                !authType.equalsIgnoreCase("ECDSA")) throw new CertificateException("Certificate is not trust");
                        try {
                            chain[0].checkValidity();
                        } catch (Exception e) {
                            throw new CertificateException("Certificate is not valid or trusted");
                        }
                    }
                }
        };

答案2

得分: 1

我之前遇到过这个错误。在我的情况下,以下是修复方法:

private boolean isVerified;

@SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
    try {
        TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override
            public void checkClientTrusted(X509Certificate[] certs, String authType) {
            }

            @Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
            }
        }};

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(final String host, final SSLSession session) {
                System.out.print("host" + host+ "\n");
                isVerified = host.equalsIgnoreCase(Constants.hostNameVerifierString)
                        || host.contains("google") || host.contains("gstatic");

                System.out.print(isVerified);
                return isVerified;
            }
        });
    } catch (Exception ignored) {
    }
}

在需要进行网络调用的活动中,您可以调用 handleSSLHandshake() 方法。或者,如果您使用 Dagger 或任何依赖注入库,您应该能够在任何希望创建网络调用的地方注入它。

Constants.hostNameVerifierString 是我用于网络调用的URL,"google" 和 "gstatic" 被添加是因为我还在使用谷歌地图。

英文:

I've had this error before. In my case, this is what fixed it:

private boolean isVerified;

@SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
    try {
        TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override
            public void checkClientTrusted(X509Certificate[] certs, String authType) {
            }

            @Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
            }
        }};

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(final String host, final SSLSession session) {
                System.out.print("host" + host+ "\n");
                isVerified = host.equalsIgnoreCase(Constants.hostNameVerifierString)
                        || host.contains("google") || host.contains("gstatic");

                System.out.print(isVerified);
                return isVerified;
            }
        });
    } catch (Exception ignored) {
    }
}

In the activity where you have a network call you can call the handleSSLHandshake() method. Or if you use Dagger or any dependency injection library , you should be able to inject it wherever you want to create network calls.

The Constants.hostNameVerifierString is the URL I was using for network calls , the "google" and "gstatic" were added because I was also using google maps.

huangapple
  • 本文由 发表于 2020年10月13日 15:47:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/64330843.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定