如何在Flutter中固定公钥? [英] How can I do public key pinning in Flutter?

问题描述

我想固定服务器的公共密钥，以便对服务器的任何请求都必须具有该公共密钥(这是为了防止像Charles这样的代理嗅探数据).

I want to the pin the public key of my server so that any request made to the server has to have that public key (this is to prevent proxies like Charles sniffing the data).

我在Volley上用Android做过类似的事情.

I had done something similar in Android with Volley.

如何使用Flutter进行同样的操作?

How can I do the same with Flutter?

推荐答案

使用没有信任根的SecurityContext创建您的客户端，以强制执行错误的证书回调，即使是好的证书也是如此.

Create your client with a SecurityContext with no trusted roots to force the bad certificate callback, even for a good certificate.

SecurityContext(withTrustedRoots: false);

在错误的证书回调中，使用 asn1lib软件包解析DER编码的证书.例如:

In the bad certificate callback, parse the DER encoded certificate using the asn1lib package. For example:

ASN1Parser p = ASN1Parser(der);
ASN1Sequence signedCert = p.nextObject() as ASN1Sequence;
ASN1Sequence cert = signedCert.elements[0] as ASN1Sequence;
ASN1Sequence pubKeyElement = cert.elements[6] as ASN1Sequence;

ASN1BitString pubKeyBits = pubKeyElement.elements[1] as ASN1BitString;

List<int> encodedPubKey = pubKeyBits.stringValue;
// could stop here and compare the encoded key parts, or...

// parse them into their modulus/exponent parts, and test those
// (assumes RSA public key)
ASN1Parser rsaParser = ASN1Parser(encodedPubKey);
ASN1Sequence keySeq = rsaParser.nextObject() as ASN1Sequence;
ASN1Integer modulus = keySeq.elements[0] as ASN1Integer;
ASN1Integer exponent = keySeq.elements[1] as ASN1Integer;

print(modulus.valueAsBigInteger);
print(exponent);

这篇关于如何在Flutter中固定公钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！