Google如何验证Android SHA1指纹和包? [英] How does google verify Android SHA1 fingerprints and packages?
问题描述
我试图让我的Google翻译API工作,但目前我找不到方法。这是我在Google Developer Console中的设置:
我使用调试证书设置了我的SHA1指纹。和包名 - bg.webmap.wordy(这是实际的名字)。当我尝试拨打电话时,JSON中返回ipRefererBlocked错误。但是,当我删除指纹和包名称时,它完美地工作,但每个人都可以使用此密钥,因此它非常不安全。所以我的问题是验证。
当API被调用时,我的应用程序会自动发送这个指纹吗?我应该自己发送吗?问题可能在调试证书中吗?
I am trying to make my Google Translate API work but currently I can't find a way. This is how I have set things in Google Developer Console :
I have set my SHA1 fingerprint with the debug certificates. And package name -"bg.webmap.wordy"(which is the actual name). When I try to make a call an "ipRefererBlocked" error is returned in JSON. But when I remove the fingerprint and package name, It works perfectly, but then everybody can use this key, so it is very insecure. So my problem is with authentication.
Will my app automatically send this fingerprint when the API is called? Should I send it myself and how? May the problem be in the debug certificates?
推荐答案
API调用
时,我的应用程序是否会自动发送这个指纹?
Will my app automatically send this fingerprint when the API is called?
NO!
我自己和如何?
Should I send it myself and how?
YES!
设置您的API密钥对android应用程序的限制,您指定了软件包名称和SHA-1证书指纹。因此,当您向Google发送请求时,您必须将这些信息添加到每个请求的标题中。
When setting up your API key restriction for android app, you specified the package name and SHA-1 certificate fingerprint. So when you send an request to Google, you must add these information in the header of each request.
如何?
As answered here, you need to get your package name and SHA certificate from your code, and then adding to request header.
获取SHA证书:
/**
* Gets the SHA1 signature, hex encoded for inclusion with Google Cloud Platform API requests
*
* @param packageName Identifies the APK whose signature should be extracted.
* @return a lowercase, hex-encoded
*/
public static String getSignature(@NonNull PackageManager pm, @NonNull String packageName) {
try {
PackageInfo packageInfo = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
if (packageInfo == null
|| packageInfo.signatures == null
|| packageInfo.signatures.length == 0
|| packageInfo.signatures[0] == null) {
return null;
}
return signatureDigest(packageInfo.signatures[0]);
} catch (PackageManager.NameNotFoundException e) {
return null;
}
}
private static String signatureDigest(Signature sig) {
byte[] signature = sig.toByteArray();
try {
MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] digest = md.digest(signature);
return BaseEncoding.base16().lowerCase().encode(digest);
} catch (NoSuchAlgorithmException e) {
return null;
}
}
添加到请求标题:
java.net.URL url = new URL(REQUEST_URL);
HttpURLConnection connection = (HttpURLConnection)url.openConnection();
try {
connection.setDoInput(true);
connection.setDoOutput(true);
connection.setRequestProperty("Content-Type", "application/json; charset=UTF-8");
connection.setRequestProperty("Accept", "application/json");
// add package name to request header
String packageName = mActivity.getPackageName();
connection.setRequestProperty("X-Android-Package", packageName);
// add SHA certificate to request header
String sig = getSignature(mActivity.getPackageManager(), packageName);
connection.setRequestProperty("X-Android-Cert", sig);
connection.setRequestMethod("POST");
// ADD YOUR REQUEST BODY HERE
// ....................
} catch (Exception e) {
e.printStackTrace();
} finally {
connection.disconnect();
}
You can see full answer here.
欣赏编码:)
这篇关于Google如何验证Android SHA1指纹和包?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
