1-我们能够在 API 的 burp 套件工具中拦截请求/响应 <=23。 2-当我将不正确的sha-256引脚传递给证书引脚器时,它会引发异常 com.android.volley.NoConnectionError: javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! 3-当我传递正确的引脚时,它的工作请求会成功。 4-我们没有在网络安全配置中设置静态PIN sha256。我们正在以编程方式对所有版本进行操作。 请检查我缺少什么。
使用 'com.squareup.okhttp3', name: 'okhttp', version: '3.11.0 网络安全配置是
<network-security-config>
<base-config cleartextTrafficPermitted="true"/>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">abc.com</domain>
</domain-config>
</network-security-config>
**and ssl pinning android code**
public static HurlStack getOkHttpStack(Context context) {
HurlStack stack = null;
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
CertificatePinner certPinner = buildCertificatePinner(context);
stack = new OkHttpStack(trustManager, certPinner);
} catch (Exception e) {
e.printStackTrace();
}
if (stack == null) {
stack = new HurlStack();
}
return stack;
}
**CertificatePinner object creation**
private static CertificatePinner buildCertificatePinner(Context context) {
CertificatePinner pinner = null;
// COde ---
return pinner;
}
**Okhttp client object creation**
public OkHttpStack(X509TrustManager trustManager, CertificatePinner certPinner) throws Exception {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
if (trustManager != null) {
TLSSocketFactory factory = new TLSSocketFactory(trustManager);
builder.sslSocketFactory(factory, trustManager);
}
if(certPinner != null){
builder.certificatePinner(certPinner);
}
mClient = builder.build();
}
在 API 级别 15 和 22 之间,必须强制启用 TLS 1.2。因此,在构建OkHttpClient时,您必须这样做。
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
okHttpClientBuilder.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()),
trustManager
);
}