X509TrustManager是否在每个Android应用程序会话中仅一次检查API请求？

拉吉塔·佩雷拉（Rajitha Perera）

最近，我实现了一项安全功能，以检查我的请求是否与有效主机连接。为此，我正在检查该主机的证书，并且在这种情况下使用了X509TrustManager。因此，如果X509TrustManager发现某个无效的证书，它将抛出异常，并根据该异常，向用户显示警报。但是问题是X509TrustManager仅在第一次时抛出异常。但是，当我刷新相同的请求时，我没有收到无效的证书，也没有看到任何警报。下面我添加了我的实现。让我知道我的实现中的任何问题或X509TrustManager的任何已知问题。谢谢并恭祝安康。

final X509TrustManager finalTrustManager = x509TrustManager;
    TrustManager[] trustAllCerts = new TrustManager[0];
    if (finalTrustManager != null) {
        trustAllCerts = new TrustManager[]{
                new X509TrustManager() {

                    public X509Certificate[] getAcceptedIssuers() {
                        return finalTrustManager.getAcceptedIssuers();
                    }

                    @Override
                    public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                        try {
                            // If Application get any CertificateException in Splash screen we will show related alert in MainActivity
                            // We need to terminate app after showing alert but if we show alert in Splash screen it will get hide when Main Activity get visible.
                            // To avoid this scenario we added this implementation.
                            if (mIsSplashGetInvalidateCertificate && !(mLifecycleManager.getCurrentStackOfActivity().get(0) instanceof SplashActivity)) {
                                mAlertManager.showAlertMessageWithoutDuplicates(mLifecycleManager.getCurrentContext().getResources().getString(R.string.certificate_error_title), mLifecycleManager.getCurrentContext().getResources().getString(R.string.certificate_error_message), (FragmentActivity) mLifecycleManager.getCurrentStackOfActivity().get(0), true);
                            }

                            // Checking the certificate availability of host
                            if ((certs != null && certs.length != 0) && (authType != null && authType.length() != 0)) {
                                finalTrustManager.checkClientTrusted(certs, authType);
                            } else {
                                terminateApplicationWithAlert();
                            }
                        } catch (CertificateException e) {
                            terminateApplicationWithAlert();
                        }
                    }

                    @Override
                    public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                        try {
                            if (mIsSplashGetInvalidateCertificate && !(mLifecycleManager.getCurrentStackOfActivity().get(0) instanceof SplashActivity)) {
                                mAlertManager.showAlertMessageWithoutDuplicates(mLifecycleManager.getCurrentContext().getResources().getString(R.string.certificate_error_title), mLifecycleManager.getCurrentContext().getResources().getString(R.string.certificate_error_message), (FragmentActivity) mLifecycleManager.getCurrentStackOfActivity().get(0), true);
                            }

                            if ((certs != null && certs.length != 0) && (authType != null && authType.length() != 0)) {
                                finalTrustManager.checkServerTrusted(certs, authType);
                            } else {
                                terminateApplicationWithAlert();
                            }
                        } catch (CertificateException e) {
                            terminateApplicationWithAlert();
                        }
                    }
                }
        };
    }

瑞安·M

您实际上并没有将证书标记为无效，因为您正在捕获CertificateException并吞下它。通过不抛出CertificateException，您告诉HTTP库无效的证书有效，大概是为了避免过多地重新验证证书而进行了缓存。

您需要允许CertificateException从X509TrustManager方法中抛出，在HTTP调用站点中捕获错误，并从此处显示对话框。

本文收集自互联网，转载请注明来源。

如有侵权，请联系 [email protected] 删除。