Google Play warning and “unsafe implementation of X509TrustManager”

那年仲夏 提交于 2019-11-27 04:37:24

问题


We had received mail regarding “You are using an unsafe implementation of X509TrustManagfer”. To resolve this issue we have applied solution from http://transoceanic.blogspot.in/2011/11/android-import-ssl-certificate-and-use.html

Here we have generated new BKS key store and pass this Key Store SSLSocketFactory. This Factory is responsible for verification of Server certificate. We have already existing Keystore but it is not in .BKS formate . That’s why we have created new one for specially HTTPS call. Please review my below code:

DefaultHttpClient sslClient = new MyHttpClient(StartupActivity.activity);

public class MyHttpClient extends DefaultHttpClient {

    final Context context;

    public MyHttpClient(Context context) {
        this.context = context;

    }

    @Override
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory
                .getSocketFactory(), 80));
        // Register for port 443 our SSLSocketFactory with our keystore
        // to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));


        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("BKS");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = context.getResources().openRawResource(
                    R.raw.mykeystore);
            try {
                // Initialize the keystore with the provided trusted
                // certificates
                // Also provide the password of the keystore

                trusted.load(in, "keystore_password".toCharArray());
            } finally {
                in.close();
            }
            // Pass the keystore to the SSLSocketFactory. The factory is
            // responsible
            // for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);
            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

Can you please check and confirm that with this solution our application would be safe?

Let us know if you have any other best solution.

来源:https://stackoverflow.com/questions/35604684/google-play-warning-and-unsafe-implementation-of-x509trustmanager

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!