Add a data getter to X509Certificate

[zanderso]

Add a data getter to X509Certificate that returns the DER encoded bytes of the certificate from i2d_X509() as an UnmodifiableUint8List.

This is to enable SSL pinning.

/cc @mit-mit @a-siva

[mit-mit]

Related Flutter bug: flutter/flutter#16066

[zanderso]

https://dart-review.googlesource.com/c/sdk/+/55505

I'll land after adding a getter for the sha1, which is what I think you mean by fingerprint.

[zanderso]

It should make it in the next roll into Flutter top-of-tree. I'll link the pull request to follow when it shows up.

[jamespet77]

Is this available in the beta release of Flutter yet? or where can I pull this source?

[zanderso]

Sorry for not updating. This is now available in Flutter.

[jamespet77]

I'm pretty new to flutter. Can someone point me towards a tutorial or a doc that describes how to use this.

[zoechi]

@linuxjet did you check the test

sdk/tests/standalone_2/io/secure_client_server_test.dart

Lines 44 to 73 in e7495e4

	void checkServerCertificate(X509Certificate serverCert) {
	String serverCertString = serverCert.pem;
	String certFile =
	new File(localFile('certificates/server_chain.pem')).readAsStringSync();
	Expect.isTrue(certFile.contains(serverCertString));
	// Computed with:
	// openssl x509 -noout -sha1 -fingerprint -in certificates/server_chain.pem
	List<int> serverSha1 = <int>[
	0xB3, 0x01, 0xCB, 0x7E, 0x6F, 0xEF, 0xBE, 0xEF, //
	0x75, 0x6D, 0xA8, 0x80, 0x60, 0xA8, 0x5D, 0x6F, //
	0xC4, 0xED, 0xCD, 0x48, //
	];
	Expect.listEquals(serverSha1, serverCert.sha1);
	}
	Future testClient(server) {
	return SecureSocket
	.connect(HOST, server.port, context: clientContext)
	.then((socket) {
	checkServerCertificate(socket.peerCertificate);
	socket.write("Hello server.");
	socket.close();
	return socket.fold(<int>[], (message, data) => message..addAll(data)).then(
	(message) {
	Expect.listEquals("Hello server.".codeUnits, message);
	return server;
	});
	});
	}

(can't help more)

[jamespet77]

HA!.. no I didn't. because I didn't see it. thx

[qwilbird]

Hi,
what about public key pinning (HPKP). Can the SecurityContext validate a public key instead of a certificate? This is more future proof as certificate pinning comes with issues of certificate expiry
Cheers

[daadu]

any update on SSL pinning with public key?

[a-siva]

Can we file a new feature request for SLL pinning with public key, this issue was opened for adding 'data' getter which is done and the issue closed.

[sandeepcmsm]

issue opened for ssl public key pinning support. #35981