我知道X509Certificate实现有硬编码return true或只是空代码块{}但是我很难找到以下答案:
我看到很多应用设置了X509Certificate,并对checkServerTrusted和getAcceptedIssuers执行了正确的检查,但在很多情况下,checkClientTrusted仍使用空代码块或return true }。
尽管检查服务器是否正确信任并且信任链是从那一侧构建的,这仍然是危险和不安全的吗?
示例,从反向应用程序,因此混淆:
public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
throws CertificateException
{
}
public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
throws CertificateException
{
int i = paramArrayOfX509Certificate.length;
for (int j = 0; j < i; j++)
{
X509Certificate localX509Certificate = paramArrayOfX509Certificate[j];
new StringBuilder().append(localX509Certificate.getIssuerDN().toString()).append(" - ").append(localX509Certificate.getSubjectDN().toString());
}
this.b.checkServerTrusted(paramArrayOfX509Certificate, paramString);
a(paramArrayOfX509Certificate[0]);
}
两种方法都必须在那里进行检查以构建信任链,或者只要服务器受信任,客户端可以是任何人/任何东西吗?