我已经成功为SafetyNet认证创建了后端服务和Android客户端。 当我将jws令牌发送到我的服务器并尝试验证它的证书时,证明没有签名证书。
我应该在我的Android应用中添加api密钥吗?
我的认证结果:
eyJhbGciOiJSUzI1NiIsIng1YyI6WyJNSUlFaURDQ0EzQ2dBd0lCQWdJSWNkK3ZTTGZWdWxrd0RRWUpLb1pJaHZjTkFRRUxCUUF3U1RFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBb1RDa2R2YjJkc1pTQkpibU14SlRBakJnTlZCQU1USEVkdmIyZHNaU0JKYm5SbGNtNWxkQ0JCZFhSb2IzSnBkSGtnUnpJd0hoY05NVFl3TnpFeU1UVTBNelUwV2hjTk1UY3dOekV4TURBd01EQXdXakJzTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVFc5MWJuUmhhVzRnVm1sbGR6RVRNQkVHQTFVRUNnd0tSMjl2WjJ4bElFbHVZekViTUJrR0ExVUVBd3dTWVhSMFpYTjBMbUZ1WkhKdmFXUXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3WEtyS0ZRRlBTckthS252NG9MSUhXNlVVMEk2STV2Q1FERFJOUlg2NWQrMVJLUWg0aDNoUHlTQ21MR2thREg0Q3Rud1lCdmRhWmZHUnVJVWx4K21zRjlkbU8rZzR0U2tSaXdrRzBxZ1VVN3docDk2ZHJoZkFrdDdPc2RzUWhmQWlTcmljdDlrTTRISElOVFVadjU0bXhkQmI0SkVBSlAvWlBDL2h5alAwRnlwNFlWVkdGN3RrQ09zUTVzYlB3cTBrbVJ0citobG41TXYwN1oxdkQwTG1MMU8yQy9qQUVCWGlhV3IzTjltenRXK2w3dEllOW1yY3FvUTB1UXdDWTd6YWdjb1czeFRmVExKVGdGTU5ZU0RtaDBEV2NZZUhidjNHQUtTR0hCSWZIWlQranhhZTlwam5pSi8zY3VmOWhVcUZPTGV3blI0TGdiTzNtSlc4a0dtWVFJREFRQUJvNElCVHpDQ0FVc3dIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUIwR0ExVWRFUVFXTUJTQ0VtRjBkR1Z6ZEM1aGJtUnliMmxrTG1OdmJUQm9CZ2dyQmdFRkJRY0JBUVJjTUZvd0t3WUlLd1lCQlFVSE1BS0dIMmgwZEhBNkx5OXdhMmt1WjI5dloyeGxMbU52YlM5SFNVRkhNaTVqY25Rd0t3WUlLd1lCQlFVSE1BR0dIMmgwZEhBNkx5OWpiR2xsYm5Sek1TNW5iMjluYkdVdVkyOXRMMjlqYzNBd0hRWURWUjBPQkJZRUZON1FsYndMa3BYbUNQbmxLS3FFdDdvc0JpYW5NQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVTdDBHRmh1ODltaTFkdldCdHJ0aUdycGFnUzh3SVFZRFZSMGdCQm93R0RBTUJnb3JCZ0VFQWRaNUFnVUJNQWdHQm1lQkRBRUNBakF3QmdOVkhSOEVLVEFuTUNXZ0k2QWhoaDlvZEhSd09pOHZjR3RwTG1kdmIyZHNaUzVqYjIwdlIwbEJSekl1WTNKc01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnV4UEpqeE9GcjlqOEJUT0swbGhNNy8zVUN3d2RjSTFFZExmRGx4NmJCWW53SmVPUThKdC9Vd1VkcTFGTWRMM2gydkVTYVFkUVdYQTVCWE9YenI1TXV2V0xYaldKRjRsb0E4VzBTVDQyUDd6MWsyT29qb3JsNXZabkhjY08vZzhFd0ZpRlVINCsydXF1NVFzWmpVZGxMS2FFUWhJZTcvU2x2Qk41eHlZd0RaMlp0R00rdlVnVlFkbXpaV0puTGNHZFVSUGN3N2tlOWlNTFZKcXUrR0Z4c1lJSXYwMW1EQlVlblNUNFRsYWlEUG1nUmwzN3lCQWpUNGVaQlBIRzBGUzhna3FKZzAzMnhjNFdPNE1WMk1ZeEN0NWVzSllaOU04Y09QRFVjOEVYOUlwbC9FT1IrL25Mb2NRSEhIazhJQlhsbDVGM2lnN1RpOGFCNTJUMFdRaEIrIiwiTUlJRDhEQ0NBdGlnQXdJQkFnSURBanFTTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlZCQVlUQWxWVE1SWXdGQVlEVlFRS0V3MUhaVzlVY25WemRDQkpibU11TVJzd0dRWURWUVFERXhKSFpXOVVjblZ6ZENCSGJHOWlZV3dnUTBFd0hoY05NVFV3TkRBeE1EQXdNREF3V2hjTk1UY3hNak14TWpNMU9UVTVXakJKTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNoTUtSMjl2WjJ4bElFbHVZekVsTUNNR0ExVUVBeE1jUjI5dloyeGxJRWx1ZEdWeWJtVjBJRUYxZEdodmNtbDBlU0JITWpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSndxQkhkYzJGQ1JPZ2FqZ3VEWVVFaThpVC94R1hBYWlFWis0SS9GOFluT0llNWEvbUVOdHpKRWlhQjBDMU5QVmFUT2dtS1Y3dXRaWDhiaEJZQVN4RjZVUDd4YlNEajBVL2NrNXZ1UjZSWEV6L1JURGZSSy9KOVUzbjIrb0d0dmg4RFFVQjhvTUFOQTJnaHpVV3gvL3pvOHB6Y0dqcjFMRVFUcmZTVGU1dm44TVhIN2xOVmc4eTVLcjBMU3krckVhaHF5ekZQZEZVdUxIOGdaWVIvTm5hZytZeXVFTldsbGhNZ1p4VVlpK0ZPVnZ1T0FTaERHS3V5Nmx5QVJ4em1aRUFTZzhHRjZsU1dNVGxKMTRyYnRDTW9VL000aWFyTk96MFlEbDVjRGZzQ3gzbnV2UlRQUHVqNXh0OTcwSlNYQ0RUV0puWjM3RGhGNWlSNDN4YStPY21rQ0F3RUFBYU9CNXpDQjVEQWZCZ05WSFNNRUdEQVdnQlRBZXBob2pZbjdxd1ZrREJGOXFuMWx1TXJNVGpBZEJnTlZIUTRFRmdRVVN0MEdGaHU4OW1pMWR2V0J0cnRpR3JwYWdTOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01DNEdDQ3NHQVFVRkJ3RUJCQ0l3SURBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyY3VjM2x0WTJRdVkyOXRNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMmN1YzNsdFkySXVZMjl0TDJOeWJITXZaM1JuYkc5aVlXd3VZM0pzTUJjR0ExVWRJQVFRTUE0d0RBWUtLd1lCQkFIV2VRSUZBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQ0U0RXA0Qi9FQlpEWGdLdDEwS0E5TENPMHE2ejZ4RjlrSVFZZmVlUUZmdEpmNmlaQlpHN2VzbldQRGNZQ1pxMng1SWdCelV6Q2VRb1kzSU50T0F5bkllWXhCdDJpV2ZCVUZpd0U2b1RHaHN5cGI3cUVaVk1TR05KNlpsZElEZk0vaXBwVVJhVlM2bmVTWUxBRUhEMExQUHN2Q1FrMEU2c3BkbGVIbTJTd2Flc1NEV0IrZVhrbkdWcHpZZWtRVkEvTGxlbGtWRVNXQTZNQ2FHc2VxUVNwU2Z6bWhDWGZWVURCdmRtV0Y5ZlpPR3JYVzJsT1VoMW1Fd3BXanFOMHl2S25GVUV2L1RtRk5XQXJDYnRGNG1tazJ4Y3BNeTQ4R2FPWk9OOW11SUFzMG5INUFxcTNWdUR4M0NRUms2KzBOdFpsbXd1OVJZMjNuSE1BY0lTd1NIR0ZnPT0iXX0.eyJub25jZSI6IlVFMTViamRaVUVNdk4ybFJNRU5UVTJwQ1VXdE1Rak51VEU1WWRtOXZabnBPUm14WkwzcEhibXRWV21oS1ZrSkJTa3R1S3pkWFJHbDBUVnBzYkZORFppOWFMMjlGZUVKa2NEVnllQzlwUTFWUlluVlVlV2M5UFE9PSIsInRpbWVzdGFtcE1zIjoxNDkwNzg3MTQ3MzYxLCJhcGtQYWNrYWdlTmFtZSI6ImNvbS5leGFtcGxlLnNhbXBsZSIsImFwa0RpZ2VzdFNoYTI1NiI6ImtXVWZ3ZlpCSU9ib2UzRGtMM2RkeTFBbm1VdjM3cDFVYlduZ1Fkd1gwZHM9IiwiY3RzUHJvZmlsZU1hdGNoIjp0cnVlLCJleHRlbnNpb24iOiJDUVlZdUQyUmRqQVkiLCJhcGtDZXJ0aWZpY2F0ZURpZ2VzdFNoYTI1NiI6WyJ3ZU93UTZLUWdFZGx2bXJIV0VCRDlyZm96YnF6ZWU0ZlpPT2FXclpoc2NvPSJdLCJiYXNpY0ludGVncml0eSI6dHJ1ZX0.JXOvgIx0PufdyJ72Vo-FvTb_6Dwj7gcSxlXWHt8siVrgK2eMQA3V_eYbXS7NYkNUEXLLMNIfm8qEIwJQGYLUKE9GyaHjjuFt_YOkQMOzC8hh9VpIekS8bc_eRfvVajXzrFSRAigOnfVBrMGrVVpxsqtjqz1Y9ochGHwrjO2b8oZyw06HjzsnuT9YpLXakBg1azOYx9KP-_XkDaKW6_Lkfn6Rmo8hpatadIF5qn54W_UkXvvsG7d4P8h_7uvO66rRhK1OXg3Qhazta3B_XFtiLcmusaqmglopEW1hI07FAvrqzemuY-_4EcvReLKfo84rl_BuJmLFVtQtDyAHtzngxw
答案 0 :(得分:1)
您需要在最新版本的Google Play服务中使用API密钥。
请参阅有关新SafetyNetClient::attest(byte[], String)方法的文档。
作为旁注,我强烈建议您为此处为Android应用生成的密钥将验证配额设置为最小值1:
https://console.developers.google.com/projectselector/apis/api/androidcheck.googleapis.com/quotas
这(几乎是1错误;))阻止攻击者使用可以从客户端代码中检索的密钥,如下所示:
curl --data '{"signedAttestation": "eyJhbGciOiJSUzI1NiIsIng1YyI6WyJNSUlFaURDQ0EzQ2dBd0lCQWdJSWNkK3ZTTGZWdWxrd0RRWUpLb1pJaHZjTkFRRUxCUUF3U1RFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBb1RDa2R2YjJkc1pTQkpibU14SlRBakJnTlZCQU1USEVkdmIyZHNaU0JKYm5SbGNtNWxkQ0JCZFhSb2IzSnBkSGtnUnpJd0hoY05NVFl3TnpFeU1UVTBNelUwV2hjTk1UY3dOekV4TURBd01EQXdXakJzTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVFc5MWJuUmhhVzRnVm1sbGR6RVRNQkVHQTFVRUNnd0tSMjl2WjJ4bElFbHVZekViTUJrR0ExVUVBd3dTWVhSMFpYTjBMbUZ1WkhKdmFXUXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3WEtyS0ZRRlBTckthS252NG9MSUhXNlVVMEk2STV2Q1FERFJOUlg2NWQrMVJLUWg0aDNoUHlTQ21MR2thREg0Q3Rud1lCdmRhWmZHUnVJVWx4K21zRjlkbU8rZzR0U2tSaXdrRzBxZ1VVN3docDk2ZHJoZkFrdDdPc2RzUWhmQWlTcmljdDlrTTRISElOVFVadjU0bXhkQmI0SkVBSlAvWlBDL2h5alAwRnlwNFlWVkdGN3RrQ09zUTVzYlB3cTBrbVJ0citobG41TXYwN1oxdkQwTG1MMU8yQy9qQUVCWGlhV3IzTjltenRXK2w3dEllOW1yY3FvUTB1UXdDWTd6YWdjb1czeFRmVExKVGdGTU5ZU0RtaDBEV2NZZUhidjNHQUtTR0hCSWZIWlQranhhZTlwam5pSi8zY3VmOWhVcUZPTGV3blI0TGdiTzNtSlc4a0dtWVFJREFRQUJvNElCVHpDQ0FVc3dIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUIwR0ExVWRFUVFXTUJTQ0VtRjBkR1Z6ZEM1aGJtUnliMmxrTG1OdmJUQm9CZ2dyQmdFRkJRY0JBUVJjTUZvd0t3WUlLd1lCQlFVSE1BS0dIMmgwZEhBNkx5OXdhMmt1WjI5dloyeGxMbU52YlM5SFNVRkhNaTVqY25Rd0t3WUlLd1lCQlFVSE1BR0dIMmgwZEhBNkx5OWpiR2xsYm5Sek1TNW5iMjluYkdVdVkyOXRMMjlqYzNBd0hRWURWUjBPQkJZRUZON1FsYndMa3BYbUNQbmxLS3FFdDdvc0JpYW5NQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVTdDBHRmh1ODltaTFkdldCdHJ0aUdycGFnUzh3SVFZRFZSMGdCQm93R0RBTUJnb3JCZ0VFQWRaNUFnVUJNQWdHQm1lQkRBRUNBakF3QmdOVkhSOEVLVEFuTUNXZ0k2QWhoaDlvZEhSd09pOHZjR3RwTG1kdmIyZHNaUzVqYjIwdlIwbEJSekl1WTNKc01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnV4UEpqeE9GcjlqOEJUT0swbGhNNy8zVUN3d2RjSTFFZExmRGx4NmJCWW53SmVPUThKdC9Vd1VkcTFGTWRMM2gydkVTYVFkUVdYQTVCWE9YenI1TXV2V0xYaldKRjRsb0E4VzBTVDQyUDd6MWsyT29qb3JsNXZabkhjY08vZzhFd0ZpRlVINCsydXF1NVFzWmpVZGxMS2FFUWhJZTcvU2x2Qk41eHlZd0RaMlp0R00rdlVnVlFkbXpaV0puTGNHZFVSUGN3N2tlOWlNTFZKcXUrR0Z4c1lJSXYwMW1EQlVlblNUNFRsYWlEUG1nUmwzN3lCQWpUNGVaQlBIRzBGUzhna3FKZzAzMnhjNFdPNE1WMk1ZeEN0NWVzSllaOU04Y09QRFVjOEVYOUlwbC9FT1IrL25Mb2NRSEhIazhJQlhsbDVGM2lnN1RpOGFCNTJUMFdRaEIrIiwiTUlJRDhEQ0NBdGlnQXdJQkFnSURBanFTTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlZCQVlUQWxWVE1SWXdGQVlEVlFRS0V3MUhaVzlVY25WemRDQkpibU11TVJzd0dRWURWUVFERXhKSFpXOVVjblZ6ZENCSGJHOWlZV3dnUTBFd0hoY05NVFV3TkRBeE1EQXdNREF3V2hjTk1UY3hNak14TWpNMU9UVTVXakJKTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNoTUtSMjl2WjJ4bElFbHVZekVsTUNNR0ExVUVBeE1jUjI5dloyeGxJRWx1ZEdWeWJtVjBJRUYxZEdodmNtbDBlU0JITWpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSndxQkhkYzJGQ1JPZ2FqZ3VEWVVFaThpVC94R1hBYWlFWis0SS9GOFluT0llNWEvbUVOdHpKRWlhQjBDMU5QVmFUT2dtS1Y3dXRaWDhiaEJZQVN4RjZVUDd4YlNEajBVL2NrNXZ1UjZSWEV6L1JURGZSSy9KOVUzbjIrb0d0dmg4RFFVQjhvTUFOQTJnaHpVV3gvL3pvOHB6Y0dqcjFMRVFUcmZTVGU1dm44TVhIN2xOVmc4eTVLcjBMU3krckVhaHF5ekZQZEZVdUxIOGdaWVIvTm5hZytZeXVFTldsbGhNZ1p4VVlpK0ZPVnZ1T0FTaERHS3V5Nmx5QVJ4em1aRUFTZzhHRjZsU1dNVGxKMTRyYnRDTW9VL000aWFyTk96MFlEbDVjRGZzQ3gzbnV2UlRQUHVqNXh0OTcwSlNYQ0RUV0puWjM3RGhGNWlSNDN4YStPY21rQ0F3RUFBYU9CNXpDQjVEQWZCZ05WSFNNRUdEQVdnQlRBZXBob2pZbjdxd1ZrREJGOXFuMWx1TXJNVGpBZEJnTlZIUTRFRmdRVVN0MEdGaHU4OW1pMWR2V0J0cnRpR3JwYWdTOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01DNEdDQ3NHQVFVRkJ3RUJCQ0l3SURBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyY3VjM2x0WTJRdVkyOXRNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMmN1YzNsdFkySXVZMjl0TDJOeWJITXZaM1JuYkc5aVlXd3VZM0pzTUJjR0ExVWRJQVFRTUE0d0RBWUtLd1lCQkFIV2VRSUZBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQ0U0RXA0Qi9FQlpEWGdLdDEwS0E5TENPMHE2ejZ4RjlrSVFZZmVlUUZmdEpmNmlaQlpHN2VzbldQRGNZQ1pxMng1SWdCelV6Q2VRb1kzSU50T0F5bkllWXhCdDJpV2ZCVUZpd0U2b1RHaHN5cGI3cUVaVk1TR05KNlpsZElEZk0vaXBwVVJhVlM2bmVTWUxBRUhEMExQUHN2Q1FrMEU2c3BkbGVIbTJTd2Flc1NEV0IrZVhrbkdWcHpZZWtRVkEvTGxlbGtWRVNXQTZNQ2FHc2VxUVNwU2Z6bWhDWGZWVURCdmRtV0Y5ZlpPR3JYVzJsT1VoMW1Fd3BXanFOMHl2S25GVUV2L1RtRk5XQXJDYnRGNG1tazJ4Y3BNeTQ4R2FPWk9OOW11SUFzMG5INUFxcTNWdUR4M0NRUms2KzBOdFpsbXd1OVJZMjNuSE1BY0lTd1NIR0ZnPT0iXX0.eyJub25jZSI6IlVFMTViamRaVUVNdk4ybFJNRU5UVTJwQ1VXdE1Rak51VEU1WWRtOXZabnBPUm14WkwzcEhibXRWV21oS1ZrSkJTa3R1S3pkWFJHbDBUVnBzYkZORFppOWFMMjlGZUVKa2NEVnllQzlwUTFWUlluVlVlV2M5UFE9PSIsInRpbWVzdGFtcE1zIjoxNDkwNzg3MTQ3MzYxLCJhcGtQYWNrYWdlTmFtZSI6ImNvbS5leGFtcGxlLnNhbXBsZSIsImFwa0RpZ2VzdFNoYTI1NiI6ImtXVWZ3ZlpCSU9ib2UzRGtMM2RkeTFBbm1VdjM3cDFVYlduZ1Fkd1gwZHM9IiwiY3RzUHJvZmlsZU1hdGNoIjp0cnVlLCJleHRlbnNpb24iOiJDUVlZdUQyUmRqQVkiLCJhcGtDZXJ0aWZpY2F0ZURpZ2VzdFNoYTI1NiI6WyJ3ZU93UTZLUWdFZGx2bXJIV0VCRDlyZm96YnF6ZWU0ZlpPT2FXclpoc2NvPSJdLCJiYXNpY0ludGVncml0eSI6dHJ1ZX0.JXOvgIx0PufdyJ72Vo-FvTb_6Dwj7gcSxlXWHt8siVrgK2eMQA3V_eYbXS7NYkNUEXLLMNIfm8qEIwJQGYLUKE9GyaHjjuFt_YOkQMOzC8hh9VpIekS8bc_eRfvVajXzrFSRAigOnfVBrMGrVVpxsqtjqz1Y9ochGHwrjO2b8oZyw06HjzsnuT9YpLXakBg1azOYx9KP-_XkDaKW6_Lkfn6Rmo8hpatadIF5qn54W_UkXvvsG7d4P8h_7uvO66rRhK1OXg3Qhazta3B_XFtiLcmusaqmglopEW1hI07FAvrqzemuY-_4EcvReLKfo84rl_BuJmLFVtQtDyAHtzngxw"}' -H "Content-Type: application/json" -H "X-Android-Package: com.example" -H "X-Android-Cert: 1111111111111111111111111111111111111111" -X POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key=AIzaSyCmid3BBzBO0idOTNNRH-7RjCrA3xhvAho"
替换X-Android-Package,X-Android-Cert和key值以使用Android应用限制测试您的API密钥。
答案 1 :(得分:-2)
我认为您错过了一些基于文档的详细信息 - Validating the response with Google APIs:
注意:您需要API密钥才能访问Android设备验证API,并且API受到速率限制。出于这些原因,您应该仅在初始开发阶段使用API进行测试。您不应在生产方案中使用此验证API。
尝试添加API密钥并检查行为是否发生变化。
希望这有帮助。
答案 2 :(得分:-2)
您可以自己验证回复。这里有一些代码可以帮助您解释JWT响应:
您需要在后端验证签名。如果您没有使用简单的服务,Google会告诉您需要检查的内容:
验证兼容性检查响应
你应该采取措施 确保兼容性检查响应实际来自 SafetyNet服务,包括与您的请求数据匹配的数据。
警告:您应该将整个JWS响应发送到您自己的服务器, 使用安全连接进行验证。我们不建议这样做 您可以直接在应用中执行验证,因为在那里 在这种情况下,无法保证验证逻辑本身没有 已被修改。
按照以下步骤验证JWS消息的来源:
- 从JWS消息中提取SSL证书链。
- 验证 SSL证书链并使用SSL主机名匹配来验证 叶证书已颁发给主机名attest.android.com。
- 使用 用于验证JWS消息签名的证书。
- 检查 JWS消息的数据,以确保它与您的数据匹配 原始要求。特别要确保nonce,timestamp, 包名称,SHA-256哈希匹配。
来自:https://developer.android.com/training/safetynet/attestation.html