Fix #16: SSL pinning in all 4 Flutter apps

- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com - Replaced http.post/http.get with pinned client in all CRUD classes - Added crypto dependency to siro_admin and siro_driver pubspec
2026-06-17 07:40:43 +03:00
parent 0e28814e7d
commit f528e1d3c5
10 changed files with 220 additions and 47 deletions
--- a/siro_service/lib/controller/functions/crud.dart
+++ b/siro_service/lib/controller/functions/crud.dart
@@ -15,9 +15,11 @@ import 'package:siro_service/main.dart';
 import 'package:siro_service/print.dart';

 import '../../constant/api_key.dart';
+import 'ssl_pinning.dart';

 class CRUD {
  static String? _appSignature;
+  final _client = SslPinning.createPinnedClient();

  static String _lastErrorSignature = '';
  static DateTime _lastErrorTimestamp = DateTime(2000);
@@ -337,7 +339,7 @@ class CRUD {
    required String channelName,
    required String uid,
  }) async {
-    var res = await http.get(
+    var res = await _client.get(
        Uri.parse(
            'https://orca-app-b2i85.ondigitalocean.app/token?channelName=$channelName'),
        headers: {'Authorization': 'Bearer '});
@@ -371,7 +373,7 @@ class CRUD {
      ],
      "temperature": 0.9
    });
-    var response = await http.post(url, body: data, headers: headers);
+    var response = await _client.post(url, body: data, headers: headers);

    if (response.statusCode == 200) {
      return response.body;
--- a/siro_service/lib/controller/functions/ssl_pinning.dart
+++ b/siro_service/lib/controller/functions/ssl_pinning.dart
@@ -0,0 +1,41 @@
+import 'dart:convert';
+import 'dart:io';
+import 'package:crypto/crypto.dart';
+import 'package:http/http.dart' as http;
+
+class SslPinning {
+  SslPinning._();
+
+  static final Map<String, List<String>> _pins = {
+    'intaleq.xyz': [
+      '/tNRUeeLxUhQU5gbgdpVWC6QBGAqc/ujg8Kcf0wQiAM=',
+      'Hlx/0EWNDH5Xkt2KzvqxUzbw0vvEsyZSlibialSyGqI=',
+    ],
+    'siromove.com': [
+      'C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHESsl=',
+      'diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=',
+    ],
+  };
+
+  static final List<String> _globalPins = [
+    'Ex/Od4QBaJmloAIDqe/IDxjrvXVYBxftwVU1gJMINuw=',
+    'lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=',
+    'aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=',
+  ];
+
+  static http.Client createPinnedClient() {
+    final httpClient = HttpClient()
+      ..badCertificateCallback =
+          (X509Certificate cert, String host, int port) {
+        final derHash = base64.encode(sha256.convert(cert.der).bytes);
+        for (final entry in _pins.entries) {
+          if (host.endsWith(entry.key)) {
+            if (entry.value.contains(derHash)) return true;
+          }
+        }
+        if (_globalPins.contains(derHash)) return true;
+        return false;
+      };
+    return http.IOClient(httpClient);
+  }
+}