search

dart-lang / sdk

The Dart SDK, including the VM, JS and Wasm compilers, analysis, core libraries, and more.
https://dart.dev
BSD 3-Clause "New" or "Revised" License
10.04k stars 1.55k forks source link

HttpClient should honor user-installed certificates on Android #50435

Open brianquinlan opened 1 year ago

brianquinlan commented 1 year ago

See https://github.com/dart-lang/sdk/issues/48056 for context.

brianquinlan commented 1 year ago

I've been experimenting with moving Flutter to use package:http.

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

There are two other approaches that I can think of to solve this:

  1. use JNI to ask the OS to resolve the certificate
  2. make certificate resolution the responsibility of the embedder (i.e. Flutter)
berdroid commented 1 year ago

That would allow the user to use package:cronet_http, which does honor user-installed certificates.

I think this will be problematic for people using Dart/Flutter on an embedded Android platform, that typically does not support Google Play Serives.

There are two other approaches that I can think of to solve this:

  1. use JNI to ask the OS to resolve the certificate
  2. make certificate resolution the responsibility of the embedder (i.e. Flutter)

Option 2 seems to be preferable as it opens up solutions for other platforms/emebedders.

brianquinlan commented 1 year ago

I started a discussing on this in the hackers-framework-🔩 Discussion. So far the feedback is that depending on package:http seems like a bad idea.

brianquinlan commented 1 year ago

It looks like there is only one common use case in Flutter where dart:io HttpClient is used: image display through Image.network.

It is very easy to replace this with package:cached_network_image, which uses package:http and can, therefore, be configured to use a native http client.

brianquinlan commented 1 year ago

I've updated the examples in cupertino_http and cronet_http to use package:cached_network_image.

At this point it should be possible to use those packages to with user-installed certificates.

brianquinlan commented 1 year ago

I wrote a design doc suggesting that we recommend package:http as an HTTP client. Feedback welcome!

brianquinlan commented 1 year ago

I presented this at the Dash forum. It's basically asking for feedback for the design doc. There seemed to be consensus so I'm moving forward on it.

brianquinlan commented 1 year ago

There is still work to do in terms of documentation but think that we already have a solution in place.

r3a1d3a1 commented 4 months ago

This is also important in case of old Android versions not getting updated CA roots. A savvy user could add newer roots manually, but flutter apps still wouldn't work. Any timeline of when this will be completed?

Kampe commented 2 months ago

Would like to know if this is in the roadmap at all?

dwarf-king-hreidmar commented 1 month ago

Is there a bounty I can pay to get this feature? There are a few downstream apps that use your libraries and I'm running them completely offline. I don't want my passwords floating around on my wifi and I don't want to be exposed to man-in-the middle attacks because I have to turn off ssl verification on my apps. Why can't I trust my own installed CAs just like the device does? Happy to donate 100 bucks just point me where I can donate.