search

dart-lang / http

A composable API for making HTTP requests in Dart.
https://pub.dev/packages/http
BSD 3-Clause "New" or "Revised" License
1.01k stars 343 forks source link

[ok_http] Support Android Keystore PrivateKeys #1237

Open Anikate-De opened 2 weeks ago

Anikate-De commented 2 weeks ago

Please see https://github.com/dart-lang/sdk/issues/50669, it serves as a starting point for this feature implementation.

The Android KeyStore System prohibits the application from extracting key material.

This essentially prevents HTTP client users from supplying the ByteArray of Key Material into the SecurityContext using setTrustedCertificatesBytes

However, since OkHttp can interact with native APIs, we can let the OkHttpClient use an SSLSocketFactory and pass the Key Material using javax.net.ssl.X509TrustManager

Proposal

Expose a new API in OkHttpClient:

class OkHttpClient ... {
    void setClientCertificateFromKeyStore(String keyStoreAlias) {...}
}

See https://github.com/dart-lang/sdk/issues/50669#issuecomment-1352800017

If this is what we're going for, do you think that it would be better to write native code and then generate bindings of that (much like what we have for RedirectInterceptor and AsyncInputStreamReader) , rather than generating bindings for too many classes and then implementing it in Dart using JNI

Tests

What tests would be required to check if this is working correctly?

Setup a mock HTTPS Server with a CertificateChain and PrivateKey. Then, setup valid and invalid certificates in the KeyStore and make requests from OkHttpClient?

cc @brianquinlan @camsim99

brianquinlan commented 1 week ago

I would assume that the implementation requires that you use sslSocketFactory? Does that limit the connection to not be HTTP/QUIC?

It might make sense to think of this in terms of what functionality from OkHttpClient.Build we want to make available in the client?