问题
We had received mail regarding “You are using an unsafe implementation of X509TrustManagfer”. To resolve this issue we have applied solution from http://transoceanic.blogspot.in/2011/11/android-import-ssl-certificate-and-use.html
Here we have generated new BKS key store and pass this Key Store SSLSocketFactory. This Factory is responsible for verification of Server certificate. We have already existing Keystore but it is not in .BKS formate . That’s why we have created new one for specially HTTPS call. Please review my below code:
DefaultHttpClient sslClient = new MyHttpClient(StartupActivity.activity);
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this.context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = context.getResources().openRawResource(
R.raw.mykeystore);
try {
// Initialize the keystore with the provided trusted
// certificates
// Also provide the password of the keystore
trusted.load(in, "keystore_password".toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is
// responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
Can you please check and confirm that with this solution our application would be safe?
Let us know if you have any other best solution.
来源:https://stackoverflow.com/questions/35604684/google-play-warning-and-unsafe-implementation-of-x509trustmanager