fix(auth/connectivity): try to fix certificate issue on windows 11 (#…

…2472)

## Description

## Tests

auth/lib/core/win_http_client.dart

@@ -1,20 +1,46 @@
+// Inspired from https://github.com/netfarm/lehttp_overrides
+
 import 'dart:convert';
 import 'dart:io';
+import 'dart:typed_data';
+
+// expired
+const String kSha1DstX3 = 'DAC9024F54D8F6DF94935FB1732638CA6AD77C13';
 
-import 'package:logging/logging.dart';
+// ISRG Root X1
+const String kIsrgRootX1 = '''-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----''';
 
-/*
-Reference from
-https://github.com/realm/realm-dart/blob/main/packages/realm_dart/lib/src/handles/native/default_client.dart
-https://github.com/realm/realm-dart/pull/1378
- */
-HttpClient windowsHttpClient() {
-  final logger = Logger("WindowsHttpClient");
-  const isrgRootX1CertPEM = // The root certificate used by lets encrypt
-      '''
-subject=CN=ISRG Root X1,O=Internet Security Research Group,C=US
-issuer=CN=DST Root CA X3,O=Digital Signature Trust Co.
------BEGIN CERTIFICATE-----
+const String kIsrgRootX1Alt = '''-----BEGIN CERTIFICATE-----
 MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
@@ -44,28 +70,77 @@ MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
 WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
 he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
 Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
------END CERTIFICATE-----''';
+-----END CERTIFICATE-----
+''';
+
+const String kLetsEncryptCert = '''-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+''';
+
+String _hexConverter(Uint8List bytes) {
+  final StringBuffer buffer = StringBuffer();
+  for (int part in bytes) {
+    buffer.write('${part < 16 ? '0' : ''}${part.toRadixString(16)}');
+  }
+  return buffer.toString().toUpperCase();
+}
+
+class WindowsHttpOverrides extends HttpOverrides {
+  static bool? _initRootCert;
+  final bool allowExpiredDSTX3;
+
+  static bool _addRootCert() {
+    if (Platform.isWindows) {
+      final List<int> cert = ascii.encode(kIsrgRootX1);
+      SecurityContext.defaultContext.setTrustedCertificatesBytes(cert);
+      final List<int> certAlt = ascii.encode(kIsrgRootX1Alt);
+      SecurityContext.defaultContext.setTrustedCertificatesBytes(certAlt);
+      final List<int> certAlt2 = ascii.encode(kLetsEncryptCert);
+      SecurityContext.defaultContext.setTrustedCertificatesBytes(certAlt2);
+    }
+    return true;
+  }
+
+  WindowsHttpOverrides({this.allowExpiredDSTX3 = false}) {
+    _initRootCert ??= _addRootCert();
+  }
 
-  if (Platform.isWindows) {
-    final context = SecurityContext(withTrustedRoots: true);
-    try {
-      logger.info('Adding certificate to trusted certificates');
-      context.setTrustedCertificatesBytes(
-        const AsciiEncoder().convert(isrgRootX1CertPEM),
-      );
-      logger.info("Certificate added to trusted certificates");
-      return HttpClient(context: context);
-    } on TlsException catch (e) {
-      logger.warning(
-        "Error adding certificate to trusted certificates: ${e.osError?.message}",
-      );
-      // certificate is already trusted. Nothing to do here
-      if (e.osError?.message.contains("CERT_ALREADY_IN_HASH_TABLE") != true) {
-        rethrow;
-      } else {
-        return HttpClient();
-      }
+  @override
+  HttpClient createHttpClient(SecurityContext? context) {
+    final HttpClient client = super.createHttpClient(context);
+    if (allowExpiredDSTX3) {
+      client.badCertificateCallback =
+          (X509Certificate cert, String host, int port) =>
+              _hexConverter(cert.sha1) == kSha1DstX3;
     }
+    return client;
   }
-  throw UnsupportedError("This platform is not supported");
 }

auth/lib/main.dart

@@ -7,6 +7,7 @@ import 'package:ente_auth/core/configuration.dart';
 import 'package:ente_auth/core/constants.dart';
 import 'package:ente_auth/core/logging/super_logging.dart';
 import 'package:ente_auth/core/network.dart';
+import 'package:ente_auth/core/win_http_client.dart';
 import 'package:ente_auth/ente_theme_data.dart';
 import 'package:ente_auth/locale.dart';
 import 'package:ente_auth/services/authenticator_service.dart';
@@ -67,7 +68,7 @@ Future<void> initSystemTray() async {
 void main() async {
   WidgetsFlutterBinding.ensureInitialized();
   if (Platform.isWindows) {
-    await whiteListLetsEncryptRootCA();
+    HttpOverrides.global = WindowsHttpOverrides();
   }
 
   if (PlatformUtil.isDesktop()) {
@@ -90,18 +91,18 @@ void main() async {
   }
 }
 
-Future<void> whiteListLetsEncryptRootCA() async {
-  try {
-    // https://stackoverflow.com/a/71090239
-    // https://github.com/ente-io/ente/issues/2178
-    ByteData data =
-        await PlatformAssetBundle().load('assets/ca/lets-encrypt-r3.pem');
-    SecurityContext.defaultContext
-        .setTrustedCertificatesBytes(data.buffer.asUint8List());
-  } catch (e) {
-    _logger.severe("Failed to whitelist Let's Encrypt Root CA", e);
-  }
-}
+// Future<void> whiteListLetsEncryptRootCA() async {
+//   try {
+//     // https://stackoverflow.com/a/71090239
+//     // https://github.com/ente-io/ente/issues/2178
+//     ByteData data =
+//         await PlatformAssetBundle().load('assets/ca/lets-encrypt-r3.pem');
+//     SecurityContext.defaultContext
+//         .setTrustedCertificatesBytes(data.buffer.asUint8List());
+//   } catch (e) {
+//     _logger.severe("Failed to whitelist Let's Encrypt Root CA", e);
+//   }
+// }
 
 Future<void> _runInForeground() async {
   final savedThemeMode = _themeMode(await AdaptiveTheme.getThemeMode());

auth/pubspec.yaml

@@ -132,7 +132,6 @@ flutter:
     - assets/custom-icons/icons/
     - assets/custom-icons/_data/
     - assets/svg/
-    - assets/ca/
 
   fonts:
     - family: Inter