这个案例算是比较麻烦的了,自己改了rom 已经可以绕过普通的app ssl证书检测,到这个就没法绕过,大概分析了下 实现如下,算是自己实现了证书的查找和校验。
这个点找了一天。。。。。
放下他们的查找思路,绕过就frida 就行了
注册自己的证书对应的host 重要的接口,请求都去查找证书 对比数量等,后边再去检测所有证书的签发信息 主要是检测公钥key以及证书数量
private final void checkSSLCertificateValid(Interceptor.Chain chain) {
Certificate findRootCertificate;
Handshake handshake;
Handshake handshake2;
CipherSuite cipherSuite;
String cipherSuite2;
Connection connection = chain.connection();
String str = "";
if (connection != null && (handshake2 = connection.handshake()) != null && (cipherSuite = handshake2.cipherSuite()) != null && (cipherSuite2 = cipherSuite.toString()) != null) {
str = cipherSuite2;
}
String str2 = str;
if (StringsKt.contains((CharSequence) str2, (CharSequence) "sm2", true) || StringsKt.contains((CharSequence) str2, (CharSequence) "sm3", true)) {
return;
}
Request request = chain.request();
if (TextUtils.isEmpty(request.header(IGNORE_SSL))) {
HttpUrl url = request.url();
SSLCertificateManager sSLCertificateManager = SSLCertificateManager.INSTANCE;
String host = url.host();
Intrinsics.checkNotNullExpressionValue(host, "it.host()");
Certificate findCertificate = sSLCertificateManager.findCertificate(host, url.port());
if (findCertificate == null) {
return;
}
Connection connection2 = chain.connection();
List<Certificate> list = null;
if (connection2 != null && (handshake = connection2.handshake()) != null) {
list = handshake.peerCertificates();
}
List wrapNullList = CollectionUtils.wrapNullList(list);
Intrinsics.checkNotNullExpressionValue(wrapNullList, "wrapNullList(chain.conne…ke()?.peerCertificates())");
List list2 = wrapNullList;
if (CollectionUtils.isEmpty(list2)) {
return;
}
LinkedList linkedList = new LinkedList();
int size = wrapNullList.size() - 1;
if (size >= 0) {
while (true) {
int i = size - 1;
Certificate certificate = (Certificate) wrapNullList.get(size);
if ((certificate instanceof X509Certificate) && (findRootCertificate = findRootCertificate((X509Certificate) certificate)) != null) {
linkedList.add(findRootCertificate);
break;
} elseif (i < 0) {
break;
} else {
size = i;
}
}
}
linkedList.addAll(list2);
Iterator it = linkedList.iterator();
while (it.hasNext()) {
if (((Certificate) it.next()).getPublicKey().equals(findCertificate.getPublicKey())) {
return;
}
}
throw new IllegalStateException("证书校验失败,请检查网络后再试");
}
}
/* loaded from: classes4.dex */
public class ServerSSLCertificate implements Comparable<ServerSSLCertificate> {
private Callable<Certificate> generator;
private String host;
private int port;
public String getHost() {
return this.host;
}
public void setHost(String str) {
this.host = str;
}
public int getPort() {
return this.port;
}
public void setPort(int i) {
this.port = i;
}
public Callable<Certificate> getGenerator() {
return this.generator;
}
public void setGenerator(Callable<Certificate> callable) {
this.generator = callable;
}
public boolean equals(Object obj) {
if (this == obj) {
returntrue;
}
if (obj == null || getClass() != obj.getClass()) {
returnfalse;
}
ServerSSLCertificate serverSSLCertificate = (ServerSSLCertificate) obj;
return this.port == serverSSLCertificate.port && TextUtils.equals(this.host, serverSSLCertificate.host);
}
public int hashCode() {
return Objects.hash(this.host, Integer.valueOf(this.port));
}
@Override // java.lang.Comparable
public int compareTo(ServerSSLCertificate serverSSLCertificate) {
if (TextUtils.equals(this.host, serverSSLCertificate.host)) {
return this.port - serverSSLCertificate.port;
}
return this.host.compareTo(serverSSLCertificate.host);
}
public final class SSLCertificateManager {
public static final SSLCertificateManager INSTANCE = new SSLCertificateManager();
/* renamed from: certificates$delegate, reason: from kotlin metadata */
private static final Lazy certificates = LazyKt.lazy(new Function0<Map<String, ServerSSLCertificate>>() {
@Override // kotlin.jvm.functions.Function0
public final Map<String, ServerSSLCertificate> invoke() {
List<Ternary<String, Integer, Callable<Certificate>>> sSLCertificate;
String key;
ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
NetworkInjectHandler inject_handler = ConfigConstantsKt.getINJECT_HANDLER();
if (inject_handler != null && (sSLCertificate = inject_handler.getSSLCertificate()) != null) {
List<Ternary<String, Integer, Callable<Certificate>>> list = sSLCertificate;
ArrayList<ServerSSLCertificate> arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(list, 10));
Iterator<T> it = list.iterator();
while (it.hasNext()) {
Ternary ternary = (Ternary) it.next();
ServerSSLCertificate serverSSLCertificate = new ServerSSLCertificate();
serverSSLCertificate.setHost((String) ternary.first);
S s = ternary.second;
Intrinsics.checkNotNullExpressionValue(s, "it.second");
serverSSLCertificate.setPort(((Number) s).intValue());
serverSSLCertificate.setGenerator((Callable) ternary.third);
arrayList.add(serverSSLCertificate);
}
for (ServerSSLCertificate serverSSLCertificate2 : arrayList) {
key = SSLCertificateManager.INSTANCE.getKey(serverSSLCertificate2);
concurrentHashMap.put(key, serverSSLCertificate2);
}
}
return concurrentHashMap;
}
});
private SSLCertificateManager() {
}
private final Map<String, ServerSSLCertificate> getCertificates() {
return (Map) certificates.getValue();
}
public final void registerCertificate(String host, int port, Callable<Certificate> generator) {
Intrinsics.checkNotNullParameter(host, "host");
Intrinsics.checkNotNullParameter(generator, "generator");
ServerSSLCertificate serverSSLCertificate = new ServerSSLCertificate();
serverSSLCertificate.setHost(host);
serverSSLCertificate.setPort(port);
serverSSLCertificate.setGenerator(generator);
registerCertificate(serverSSLCertificate);
}
private final void registerCertificate(ServerSSLCertificate serverCertificate) {
if (getCertificates().put(getKey(serverCertificate), serverCertificate) == null || !AocContext.isStrict()) {
return;
}
throw new IllegalStateException("there has the same server ssl certificate config witch the host is " + ((Object) serverCertificate.getHost()) + " and the port is " + serverCertificate.getPort());
}
/* JADX INFO: Access modifiers changed from: private */
public final String getKey(ServerSSLCertificate serverSSLCertificate) {
if (serverSSLCertificate.getPort() > 0) {
return Intrinsics.stringPlus(serverSSLCertificate.getHost(), Integer.valueOf(serverSSLCertificate.getPort()));
}
String host = serverSSLCertificate.getHost();
Intrinsics.checkNotNullExpressionValue(host, "host");
return host;
}
public final Certificate findCertificate(String host, int port) {
Callable<Certificate> generator;
Intrinsics.checkNotNullParameter(host, "host");
ServerSSLCertificate serverSSLCertificate = getCertificates().get(Intrinsics.stringPlus(host, Integer.valueOf(port)));
if (serverSSLCertificate == null) {
serverSSLCertificate = getCertificates().get(host);
}
if (serverSSLCertificate == null || (generator = serverSSLCertificate.getGenerator()) == null) {
return null;
}
return generator.call();
}
}
原文始发于微信公众号(小白技术社):绕过自实现SSL证书检测
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论