Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I do public key pinning in Flutter?

Tags:

flutter

dart

pinning

I want to the pin the public key of my server so that any request made to the server has to have that public key (this is to prevent proxies like Charles sniffing the data).

I had done something similar in Android with Volley.

How can I do the same with Flutter?

like image 859
Harsh Bhikadia Avatar asked Jan 26 '23 17:01

Harsh Bhikadia

2 Answers

Create your client with a SecurityContext with no trusted roots to force the bad certificate callback, even for a good certificate.

SecurityContext(withTrustedRoots: false);

In the bad certificate callback, parse the DER encoded certificate using the asn1lib package. For example:

ASN1Parser p = ASN1Parser(der);
ASN1Sequence signedCert = p.nextObject() as ASN1Sequence;
ASN1Sequence cert = signedCert.elements[0] as ASN1Sequence;
ASN1Sequence pubKeyElement = cert.elements[6] as ASN1Sequence;

ASN1BitString pubKeyBits = pubKeyElement.elements[1] as ASN1BitString;

List<int> encodedPubKey = pubKeyBits.stringValue;
// could stop here and compare the encoded key parts, or...

// parse them into their modulus/exponent parts, and test those
// (assumes RSA public key)
ASN1Parser rsaParser = ASN1Parser(encodedPubKey);
ASN1Sequence keySeq = rsaParser.nextObject() as ASN1Sequence;
ASN1Integer modulus = keySeq.elements[0] as ASN1Integer;
ASN1Integer exponent = keySeq.elements[1] as ASN1Integer;

print(modulus.valueAsBigInteger);
print(exponent);
like image 167
Richard Heap Avatar answered Jan 29 '23 08:01

Richard Heap

Key rotation reduces risk. When an attacker obtains an old server hard drive or backup file and gets an old server private key from it, they cannot impersonate the current server if the key has been rotated. Therefore always generate a new key when updating certificates. Configure the client to trust the old key and the new key. Wait for your users to update to the new version of the client. Then deploy the new key to your servers. Then you can remove the old key from the client.

Server key pinning is only needed if you're not rotating keys. That's bad security practice.

You should do certificate pinning with rotation. I have added example code in How to do SSL pinning via self generated signed certificates in flutter?

like image 35
M. Leonhard Avatar answered Jan 29 '23 08:01

M. Leonhard
Sign in to Comment

Related questions

Copy asset from bundle to file system
How to use multiple navigators
Android Gradle Issue - Flutter / Dart
Use question mark operator when calling method on possible null value?
flutter error when importing custom font
Flutter combo box
Process large number of tasks using Isolate
Why does `if (var = null)` compile in dart?
Flutter - How to controll the velocity of a ListView builder?
keytool : The term 'keytool' is not recognized as the name of a cmdlet, function, script file, or operable program
Flutter: FloatingActionButton shadow
jumping to another page in PageView() not working
Flutter close a Dialog inside a condition
How to check if node exists in Firebase Database with Flutter/Dart
In the Flutter what is best way to add package in pubspec.yaml file?
Flutter firebase database.set(object) issue
Convert application/octet-stream to image/jpeg/png in flutter?
Flutter Firebase Analytics Not Logging Event

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!