logo标签列表

谷歌未安全实现接口X509TrustManager

javaandroidandroid-securitysslsocketfactorytrustmanager
7
我在Google Play上有一个应用程序,我收到了一封来自Google的邮件,邮件内容如下:
您的应用程序(此邮件末尾列出)使用了接口X509TrustManager的不安全实现。具体来说,当与远程主机建立HTTPS连接时,该实现会忽略所有SSL证书验证错误,从而使您的应用程序容易受到中间人攻击。
为了正确处理SSL证书验证,请更改您自定义的X509TrustManager接口的checkServerTrusted方法中的代码,以便在服务器提供的证书未满足您的要求时引发CertificateException或IllegalArgumentException异常。
我的应用程序使用“https”,我的checkServerTrusted()代码如下:
 TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

然后我修改了这个函数:
 TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            if (chain == null) {
                throw new IllegalArgumentException("checkServerTrusted: X509Certificate array is null");
            }

            if (!(chain.length > 0)) {
                throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty");
            }

            if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {

                throw new CertificateException("checkServerTrusted: AuthType is not RSA");
            }
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

自定义SSLSocketFactory:

public class MySSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");

public MySSLSocketFactory(KeyStore ctx) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(ctx);

    TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    sslContext.init(null, new TrustManager[]{tm}, null);
}

@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
    return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}

@Override
public Socket createSocket() throws IOException {
    return sslContext.getSocketFactory().createSocket();
}

HttpClient函数:

private static HttpClient getHttpClient(int timeout) {
    if (null == mHttpClient) {

        try {
            KeyStore trustStore = KeyStore.getInstance(KeyStore
                    .getDefaultType());
            trustStore.load(null, null);
            SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
            sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); 

            HttpParams params = new BasicHttpParams();

            HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
            HttpProtocolParams.setContentCharset(params,
                    HTTP.DEFAULT_CONTENT_CHARSET);
            HttpProtocolParams.setUseExpectContinue(params, true);


            ConnManagerParams.setTimeout(params, timeout);

            HttpConnectionParams.setConnectionTimeout(params, timeout);

            HttpConnectionParams.setSoTimeout(params, timeout);


            SchemeRegistry schReg = new SchemeRegistry();
            schReg.register(new Scheme("http", PlainSocketFactory
                    .getSocketFactory(), 80));
            schReg.register(new Scheme("https", sf, 443));

            ClientConnectionManager conManager = new ThreadSafeClientConnManager(
                    params, schReg);

            mHttpClient = new DefaultHttpClient(conManager, params);
        } catch (Exception e) {
            e.printStackTrace();
            return new DefaultHttpClient();
        }
    }
    return mHttpClient;
}

但是我对此并不了解,我只是按照电子邮件中的内容修改了我的代码,我认为我还没有解决这个问题。这个警告是什么意思?如何解决它?

3
为什么一开始就有这个“TrustManager”?在使用SSL时不需要它。 - CommonsWare
你正在使用任何第三方SDK吗? - Idan
@Idan 这不是第三方 SDK。 - zys
“我该怎么办?”--正如Antimony所指出的,最好是摆脱它。我不明白为什么你的应用程序需要一个自定义TrustManager。如果你决定需要它,就要正确实现它以验证证书并防止中间人攻击。如果你不知道如何做到这一点,请打开一个全新的Stack Overflow问题,在那里提供你的代码并完整而准确地解释为什么你需要一个自定义的TrustManager,也许我们可以帮助指出如何实现它。例如,如果你想处理自签名证书,有相应的方法可以做到这一点。 - CommonsWare
2
@SharpEdge:几乎所有使用https URL的Java示例都没有使用自定义的TrustManager这里有一个,它使用HttpURLConnection下载PDF文件;这里有一个,它使用Retrofit从Stack Exchange API检索问题;这里是Volley的等效版本这里是OkHttp3的等效版本 - CommonsWare
显示剩余7条评论
4个回答
7
I found 这个解决方案,它很有效! X509TrustManager: 
public class EasyX509TrustManager
    implements X509TrustManager {

private X509TrustManager standardTrustManager = null;

/**
 * Constructor for EasyX509TrustManager.
 */
public EasyX509TrustManager(KeyStore keystore)
        throws NoSuchAlgorithmException, KeyStoreException {
    super();
    TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    factory.init(keystore);
    TrustManager[] trustmanagers = factory.getTrustManagers();
    if (trustmanagers.length == 0) {
        throw new NoSuchAlgorithmException("no trust manager found");
    }
    this.standardTrustManager = (X509TrustManager) trustmanagers[0];
}

/**
 * @see X509TrustManager#checkClientTrusted(X509Certificate[], String authType)
 */
public void checkClientTrusted(X509Certificate[] certificates, String authType)
        throws CertificateException {
    standardTrustManager.checkClientTrusted(certificates, authType);
}

/**
 * @see X509TrustManager#checkServerTrusted(X509Certificate[], String authType)
 */
public void checkServerTrusted(X509Certificate[] certificates, String authType)
        throws CertificateException {
    if ((certificates != null) && (certificates.length == 1)) {
        certificates[0].checkValidity();
    } else {
        standardTrustManager.checkServerTrusted(certificates, authType);
    }
}

/**
 * @see X509TrustManager#getAcceptedIssuers()
 */
public X509Certificate[] getAcceptedIssuers() {
    return this.standardTrustManager.getAcceptedIssuers();
}

}

SSLSocketFactory:

public class EasySSLSocketFactory implements LayeredSocketFactory {

private SSLContext sslcontext = null;

private static SSLContext createEasySSLContext() throws IOException {
    try {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, new TrustManager[]{new EasyX509TrustManager(
                null)}, null);
        return context;
    } catch (Exception e) {
        throw new IOException(e.getMessage());
    }
}

private SSLContext getSSLContext() throws IOException {
    if (this.sslcontext == null) {
        this.sslcontext = createEasySSLContext();
    }
    return this.sslcontext;
}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#connectSocket(Socket,
 * String, int, InetAddress, int,
 * HttpParams)
 */
public Socket connectSocket(Socket sock, String host, int port,
                            InetAddress localAddress, int localPort, HttpParams params)
        throws IOException, UnknownHostException, ConnectTimeoutException {
    int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
    int soTimeout = HttpConnectionParams.getSoTimeout(params);

    InetSocketAddress remoteAddress = new InetSocketAddress(host, port);
    SSLSocket sslsock = (SSLSocket) ((sock != null) ? sock : createSocket());

    if ((localAddress != null) || (localPort > 0)) {
        // we need to bind explicitly
        if (localPort < 0) {
            localPort = 0; // indicates "any"
        }
        InetSocketAddress isa = new InetSocketAddress(localAddress,
                localPort);
        sslsock.bind(isa);
    }

    sslsock.connect(remoteAddress, connTimeout);
    sslsock.setSoTimeout(soTimeout);
    return sslsock;

}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#createSocket()
 */
public Socket createSocket() throws IOException {
    return getSSLContext().getSocketFactory().createSocket();
}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#isSecure(Socket)
 */
public boolean isSecure(Socket socket) throws IllegalArgumentException {
    return true;
}

/**
 * @see LayeredSocketFactory#createSocket(Socket,
 * String, int, boolean)
 */
public Socket createSocket(Socket socket, String host, int port,
                           boolean autoClose) throws IOException, UnknownHostException {
    return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}

// -------------------------------------------------------------------
// javadoc in org.apache.http.conn.scheme.SocketFactory says :
// Both Object.equals() and Object.hashCode() must be overridden
// for the correct operation of some connection managers
// -------------------------------------------------------------------

public boolean equals(Object obj) {
    return ((obj != null) && obj.getClass().equals(
            EasySSLSocketFactory.class));
}

public int hashCode() {
    return EasySSLSocketFactory.class.hashCode();
}

}

接下来:

SchemeRegistry schReg = new SchemeRegistry();
            schReg.register(new Scheme("http", PlainSocketFactory
                    .getSocketFactory(), 80));
            schReg.register(new Scheme("https", new EasySSLSocketFactory(), 443));
3
不要使用这个非常糟糕的代码!该代码容许中间人攻击,使得 SSL 的整个安全性都失去了意义。checkValidity() 方法只检查证书是否过期,除此之外什么也不检查,这意味着这个代码会轻易地接受任何没有过期的证书,即使是假冒的,为了另一个服务器而且没有被任何签名机构签名。 - Nohus
@Nohus 我知道,但我的目的是接受所有证书。 - zys
2
如果那是你真正需要的,那就没问题,但这并没有回答谷歌发现的如何解决安全问题的问题。 - Nohus
有人知道这个CertificateException被捕获在哪里吗? - Artanis
1
@Nohus,当你说“checkValidity()方法只检查证书是否过期,而不检查其他任何内容,这意味着此代码将欣然接受任何未过期的证书,即使该证书是伪造的,用于另一个服务器并且未经任何签名”,那么如果要在委托X509TrustManager实现中包含对签名的检查,你需要做什么? - Gary
@Gary 我现在记不清了,但即使你检查了签名,你还需要检查签名链中所有证书的签名、检查它们的排序、检查它们按顺序正确签名,并且根签名是可信任的。最好的方法是不要覆盖实现,使用默认实现可以正常工作。到最后,你会想知道自己是否犯了错误,你的应用程序是否可以被黑客攻击。但我理解你可能需要一些定制行为。 - Nohus
2

您提出的修改并没有修复安全漏洞。您的代码仍然会接受任何格式正确的证书,而不考虑证书是否有效。

如果您不确定如何正确验证证书,建议您移除自定义信任管理器。除非您在进行一些不寻常的操作,否则您不需要这个。

我的应用程序是一个服务器监视器,用户可以添加任何网站或服务器来进行ping测试。如果我删除自定义的TrustManager,那么我也必须删除自定义的SSLSocketFactory。 - zys
也许你可以添加一个接口,以便用户可以添加他们想要加入白名单的自签名证书?不过这应该是一个罕见的情况。 - Antimony
如果我移除自定义的TrsustManager,在访问一个由网站自身定制的证书的网站时,会出现证书不安全的警告。 - zys
-1

最简单的方法是不提供自定义的TrustManager。只需使用默认的TrustManager,它将为您执行公钥(X.509)验证和验证。

-1

只使用默认的X509TrustManager方法,包括checkServerTrusted(chain, authType)。它们会适当地处理所有验证。

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接