How To Establishing a Certificate-Based Connection to APNs

Question

I do not know is it correct way or not but I am trying to get certificate from macos keychain and use it on flutter httpclient to establish a Certificate based connection. I just wonder is it possible or not.

For now i can get the certificate with native code with and i am returning the data:

  var certificate: SecCertificate?
  SecIdentityCopyCertificate(identityNotNil, &certificate)
  let data = SecCertificateCopyData(certificate!)

then i try to use it like inside flutter:

SecurityContext context = SecurityContext.defaultContext
   ..useCertificateChain(certificateByteArray, password: 'password');

var _client = HttpClient(context: context);

but i am getting error about bad certificate. Maybe there is a way to reach keychain directly from flutter.

Thank you.

To be more specific, i am trying to use a certificate like : https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns

Answer 1

I assume that your question relates to flutter web - not a standalone Mac OS application? Then I can think of the following scenarios:

1. Use client certificates to establish an SSL based secure transport layer with certificate based authentication.

2. Use client certificates to exchange encrypted messages with encryption done by the application (both client and server) or use client certificates on the application layer for Authentication only.

Scenario 1: SSL with client certificates

In flutter web, HTTP Connections are only supported via XMLHttpRequest - the underlying JavaScript Object - under the hood flutter web code is transformed into JavaScript code. XMLHTTPRequest does NOT support any Client Certificates.

But you can configure the Browser to use client certificates when connecting to a WebServer via SSL - this would be fully transparent to the flutter web app. All modern browsers support client certificates and do access the MacOS keychain.

Of course, the server need to support SSL with client certificates. E.g. if you want to use client certificates in order to authenticate to a Spring Application based on SSL client certificates, this is described here:

Spring Security - Pre-Authentication Scenarios

Scenario 2: Application layer encryption/authentication

This is a very unusual scenario, as web applications usually rely on SSL for many good reasons: No coding is required and its pretty secure. But of course, it is technically feasible to implement encryption of all messages exchanged with the server on your own.

Letting aside the pure coding work (encryption libraries also exist for flutter), the key problem is to get the certificate and the private key into the application. Loading the certificate from the server without prior authentication (like the web app itself or all assets) would be a major security flaw, because then an attacker could also easily download the certificate/private key.

The only secure way I can think of, is to obtain the certificate and private key form the client computer. Unfortunately, a flutter web app - like every JavaScript app - is running in a Sandbox within a Browser, which puts major constraints on the application - for good Browser security reasons. Due to this sandbox, the flutter web app CANNOT access the Mac OS keychain directly.

But you can let the user pick a file with the certificate and private key. This is described here:

How to Pick files and Images for upload with flutter web