Android 证书固定忽略主机名验证
我刚刚根据找到的教程实现了证书固定。但现在我注意到它忽略了主机名验证,天知道它还忽略了什么 以下是我所拥有的: SSLSocketFactory:Android 证书固定忽略主机名验证,android,validation,ssl,ssl-certificate,Android,Validation,Ssl,Ssl Certificate,我刚刚根据找到的教程实现了证书固定。但现在我注意到它忽略了主机名验证,天知道它还忽略了什么 以下是我所拥有的: SSLSocketFactory: public class PinningSSLSocketFactory extends SSLSocketFactory { SSLContext sslContext = SSLContext.getInstance("TLS"); PubKeyManager pkm; public PinningSSLSocketF
public class PinningSSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");
PubKeyManager pkm;
public PinningSSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException,
KeyStoreException, UnrecoverableKeyException {
super(truststore);
pkm = new PubKeyManager();
TrustManager tm[] = { pkm };
sslContext.init(null, tm, null);
}
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException,
UnknownHostException {
return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}
@Override
public Socket createSocket() throws IOException {
return sslContext.getSocketFactory().createSocket();
}
public void setContext(Context context) {
pkm.setContext(context);
}
}
public class PubKeyManager implements X509TrustManager {
public Context mContext;
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
if (chain == null) {
throw new IllegalArgumentException("checkServerTrusted: X509Certificate array is null");
}
if (!(chain.length > 0)) {
throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty");
}
if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {
throw new CertificateException("checkServerTrusted: AuthType is not RSA");
}
// Perform customary SSL/TLS checks
// get request cert
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init((KeyStore) null);
for (TrustManager trustManager : tmf.getTrustManagers()) {
((X509TrustManager) trustManager).checkServerTrusted(chain, authType);
}
} catch (Exception e) {
throw new CertificateException(e);
}
//get stored certificate
expected = //compare both certs
if (!expected) {
throw new CertificateException("checkServerTrusted");
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void setContext(Context context) {
mContext = context;
}
}
public DefaultHttpClient getPinningHttpClient(){
try {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
PinningSSLSocketFactory sf = new PinningSSLSocketFactory(trustStore);
sf.setContext(context);
HttpParams params = new BasicHttpParams();
HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
registry.register(new Scheme("https", sf, 443));
ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);
return new DefaultHttpClient(ccm, params);
} catch (Exception e) {
e.printStackTrace();
}
return new DefaultHttpClient();
}
感谢您提供的帮助。证书/公钥固定的概念是您知道特定主机具有特定的证书或公钥。只有在您不知道证书应该是什么的情况下,才需要验证主机名和证书链。钉住是你与预期同伴交谈的有力证据。当然,您应该在应用程序中关联主机名和固定信息,也就是说,不要使用一个站点的固定信息来验证其他站点
除此之外,不要只使用“…我找到的教程”。在OWASP中,您可以找到有关主题和示例代码的信息。我基本上按照该页面上的示例项目来完成我现在所做的工作。问题是,我们将证书放在质量服务器上,它接受了请求,即使url与证书上的url不匹配。Sói假设使用我的
pinningsslssocketfactorySSLSocketFactoryjava.io.IOException:Hostname'myurl.com'未经验证