dart-lang
[ok_http] Support Android Keystore PrivateKeys
Please see https://github.com/dart-lang/sdk/issues/50669, it serves as a starting point for this feature implementation.
The Android KeyStore System prohibits the application from extracting key material.
This essentially prevents HTTP client users from supplying the ByteArray of Key Material into the SecurityContext using setTrustedCertificatesBytes
However, since OkHttp can interact with native APIs, we can let the OkHttpClient use an SSLSocketFactory and pass the Key Material using javax.net.ssl.X509TrustManager
Proposal
Expose a new API in OkHttpClient:
class OkHttpClient ... {
void setClientCertificateFromKeyStore(String keyStoreAlias) {...}
}
See https://github.com/dart-lang/sdk/issues/50669#issuecomment-1352800017
If this is what we're going for, do you think that it would be better to write native code and then generate bindings of that (much like what we have for RedirectInterceptor and AsyncInputStreamReader) , rather than generating bindings for too many classes and then implementing it in Dart using JNI
Tests
What tests would be required to check if this is working correctly?
Setup a mock HTTPS Server with a CertificateChain and PrivateKey.
Then, setup valid and invalid certificates in the KeyStore and make requests from OkHttpClient?
cc @brianquinlan @camsim99
I would assume that the implementation requires that you use sslSocketFactory? Does that limit the connection to not be HTTP/QUIC?
It might make sense to think of this in terms of what functionality from OkHttpClient.Build we want to make available in the client?
More interesting links: https://android-developers.googleblog.com/2012/03/unifying-key-store-access-in-ics.html