小贝子编程

android security -如何修复TrustManager的不安全实现



我的应用程序在Google Play中被拒绝,因为某些不安全的TrustManager实现。

但是在我的库中,我只有一个TrustManager的实现(这是我的SSLUtil类)。

import android.content.Context;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
public class SSLUtil {
    /**
     * @param ctx
     * @param certRaw File from /res/raw
     * @return
     * @throws Exception
     */
    public static SSLSocketFactory trustCert(Context ctx, int certRaw) throws Exception {
        // Load CAs from an InputStream
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        // File at /res/raw
        InputStream caInput = FileUtils.readRawFile(ctx, certRaw);
        Certificate ca;
        try {
            ca = cf.generateCertificate(caInput);
        } finally {
            caInput.close();
        }
// Create a KeyStore containing our trusted CAs
        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);
//      Log.d(TAG, "KeyStore: " + keyStore);
// Create a TrustManager that trusts the CAs in our KeyStore
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, tmf.getTrustManagers(), null);
        // Create all-trusting host name verifier
        HostnameVerifier allHostsValid = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
        // Install the all-trusting host verifier
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        SSLSocketFactory socketFactory = context.getSocketFactory();
        HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
        return socketFactory;
    }
}

我在阅读了Android开发者网站上的以下文档后编写了这个类:

https://developer.android.com/training/articles/security-ssl.html

如果我理解正确,这段代码是可以的。这种TrustManager的实现正确吗?

我不明白为什么我的申请被拒绝了。

不,您的代码不安全。从名称allHostsValid可以看出,代码盲目地接受所有主机名,这意味着该连接可以是中间人连接。你应该删除这个类

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium