feat(mobile): Adding setting in mobile app to TLS client certificate (#10860)

* feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com>
2025-07-09 09:12:57 +02:00 · 2024-07-26 14:59:02 +01:00 · 2024-07-26 14:59:02 +01:00 · ea5d6780f2
commit ea5d6780f2
parent 62ac9bb7cd
8 changed files with 321 additions and 16 deletions
--- a/mobile/lib/utils/http_ssl_cert_override.dart
+++ b/mobile/lib/utils/http_ssl_cert_override.dart
@ -4,12 +4,49 @@ import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:logging/logging.dart';

 class HttpSSLCertOverride extends HttpOverrides {
+  static final Logger _log = Logger("HttpSSLCertOverride");
+  final SSLClientCertStoreVal? _clientCert;
+  late final SecurityContext? _ctxWithCert;
+
+  HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() {
+    if (_clientCert != null) {
+      _ctxWithCert = SecurityContext(withTrustedRoots: true);
+      if (_ctxWithCert != null) {
+        setClientCert(_ctxWithCert, _clientCert);
+      } else {
+        _log.severe("Failed to create security context with client cert!");
+      }
+    } else {
+      _ctxWithCert = null;
+    }
+  }
+
+  static bool setClientCert(SecurityContext ctx, SSLClientCertStoreVal cert) {
+    try {
+      _log.info("Setting client certificate");
+      ctx.usePrivateKeyBytes(cert.data, password: cert.password);
+      if (!Platform.isIOS) {
+        ctx.useCertificateChainBytes(cert.data, password: cert.password);
+      }
+    } catch (e) {
+      _log.severe("Failed to set SSL client cert: $e");
+      return false;
+    }
+    return true;
+  }
+
  @override
  HttpClient createHttpClient(SecurityContext? context) {
+    if (context != null) {
+      if (_clientCert != null) {
+        setClientCert(context, _clientCert);
+      }
+    } else {
+      context = _ctxWithCert;
+    }
+
    return super.createHttpClient(context)
      ..badCertificateCallback = (X509Certificate cert, String host, int port) {
-        var log = Logger("HttpSSLCertOverride");
-
        AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;

        // Check if user has allowed self signed SSL certificates.
@ -28,7 +65,7 @@ class HttpSSLCertOverride extends HttpOverrides {
        }

        if (!selfSignedCertsAllowed) {
-          log.severe("Invalid SSL certificate for $host:$port");
+          _log.severe("Invalid SSL certificate for $host:$port");
        }

        return selfSignedCertsAllowed;