0

我正在使用 AWS CA 为我在 Flutter 应用程序中使用的 ElasticBeanstalk 生成 SSL 证书。根据投注实践,我正在尝试将来自Amazon Trusted Services的 HTTP 客户端固定到根证书

我在使用 Flutter HTTP 客户端时遇到了 2 个问题:

  1. 每当我尝试加载证书时,它都会崩溃:
[VERBOSE-2:ui_dart_state.cc(209)] Unhandled Exception: TlsException: Failure trusting builtin roots (OS Error: BAD_PKCS12_DATA(pkcs8_x509.c:657), errno = 0)

这是我使用的证书(五个之一,我将它们全部添加):

final _awsRoot1 = _decodePEM("""-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----""");

这就是我要做的解码PEM

Uint8List _decodePEM(pem) {
  for (var s in _startsWith) {
    if (pem.startsWith(s)) pem = pem.substring(s.length);
  }
  for (var s in _endsWith) {
    if (pem.endsWith(s)) pem = pem.substring(0, pem.length - s.length);
  }
  pem = pem.replaceAll('\n', '');
  pem = pem.replaceAll('\r', '');
  return Uint8List.fromList(base64.decode(pem));
}

并通过以下方式添加:

void certificatePinningPem(SecurityContext context) {
  context.setTrustedCertificatesBytes(_awsRoot1);
  context.setTrustedCertificatesBytes(_awsRoot2);
  context.setTrustedCertificatesBytes(_awsRoot3);
  context.setTrustedCertificatesBytes(_awsRoot4);
  context.setTrustedCertificatesBytes(_awsRoot5);
}

读取DER文件时出现相同的异常:

final aws1 = await rootBundle.load('assets/cer/aws1.cer');
context.setTrustedCertificatesBytes(aws1.buffer.asUint8List());
  1. 来自连接的 PEM 文件不同

尽管如此,当我使用时badCertificateCallback,证书中的文件与回购pem中的这五个文件中的任何一个都不匹配那么如何从连接中获取根证书

httpClient.badCertificateCallback = (
      X509Certificate certificate,
      String host,
      int port,
    ) {
      print('Bad certificate: ${certificate.pem} for host $host:$port');
      return false;
    };

关于如何使用 AWS 根证书在 Flutter 中正确地进行证书固定有什么建议吗?

我发现了一些相关的线程,但它们并没有真正的帮助,即 https://github.com/flutter/flutter/issues/39190#issuecomment-693315205

4

0 回答 0