flutterdartcurlaws-iot-coredart-http

How to send AWS iot http request from flutter app using certificates?

I am trying to publish a message to AWS IoT using flutter application.

Based on AWS's documentation I have tried to replicate

curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"

Here is what I have tried

    final List<int> trustedCertificateBytes =
        (await rootBundle.load('assets/certificates/AmazonRootCA1.pem'))
            .buffer
            .asInt8List();
    final List<int> certificateChainBytes = (await rootBundle.load(
            'assets/certificates/device.pem.crt'))
        .buffer
        .asInt8List();
    final List<int> privateKeyBytes = (await rootBundle.load(
            'assets/certificates/private.pem.key'))
        .buffer
        .asInt8List();
    final data = jsonEncode(
      <String, dynamic>{"message": "hello world"},
    );


    final context = SecurityContext.defaultContext;
    context.setTrustedCertificatesBytes(trustedCertificateBytes);
    context.useCertificateChainBytes(certificateChainBytes);
    context.usePrivateKeyBytes(privateKeyBytes);
    final client = HttpClient(context: context);
    final request = await client.openUrl(
        'POST', Uri.parse("https://$myEndpoint/topics/some_topic?qos=1"));
    request.write(data);

    try {
      final response = await request.close();
      print("success");
      print(response);
      response.transform(utf8.decoder).listen((contents) {
        print(contents);
      });
    } catch (e) {
      print(e);
    }

On first api call, http call is successfull but the response is {"message":"Missing authentication","traceId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

On every subsequent call flutter throws this error:

 [ERROR:flutter/lib/ui/ui_dart_state.cc(199)] Unhandled Exception: TlsException: Failure trusting builtin roots (OS Error: CERT_ALREADY_IN_HASH_TABLE(x509_lu.c:356), errno = 0)

Any idea on how do I get it to work?

-- Edited section: The first call issue is solved, added context.setAlpnProtocols(["x-amzn-http-ca"], false); worked like charm. The problem on subsequent call still exists.

Solution

  • OP here.

    Setting alpn protocol for the context solved the authentication token issue

    ...
context.setAlpnProtocols(["x-amzn-http-ca"], false);
...

    Then I set up a global flag on whether or not the certificates are already set. If already set, no need to set again.

    Global scope

    bool setCert = false;

    Function scope

    if (!setCert){
  // Set certificates & alpn protocol here
  setCert = true;
}

    And it solved the second issue.