我想固定服务器的公共密钥,以便对服务器的任何请求都必须具有该公共密钥(这是为了防止像Charles这样的代理嗅探数据)。
我在Volley上用Android做过类似的事情。
如何使用Flutter做同样的事情?
创建一个SecurityContext没有可信任根的客户端以强制执行错误的证书回调,即使是获得良好的证书也是如此。
SecurityContext
SecurityContext(withTrustedRoots: false);
在错误的证书回调中,使用asn1lib包解析DER编码的证书。例如:
ASN1Parser p = ASN1Parser(der); ASN1Sequence signedCert = p.nextObject() as ASN1Sequence; ASN1Sequence cert = signedCert.elements[0] as ASN1Sequence; ASN1Sequence pubKeyElement = cert.elements[6] as ASN1Sequence; ASN1BitString pubKeyBits = pubKeyElement.elements[1] as ASN1BitString; List<int> encodedPubKey = pubKeyBits.stringValue; // could stop here and compare the encoded key parts, or... // parse them into their modulus/exponent parts, and test those // (assumes RSA public key) ASN1Parser rsaParser = ASN1Parser(encodedPubKey); ASN1Sequence keySeq = rsaParser.nextObject() as ASN1Sequence; ASN1Integer modulus = keySeq.elements[0] as ASN1Integer; ASN1Integer exponent = keySeq.elements[1] as ASN1Integer; print(modulus.valueAsBigInteger); print(exponent);
