Flutter Embedded Certificate Authorities

2023-08-02

IMPORTANT: This note is wrong about flutter always using embedded CA certificates for validation. There is a new corrected note about how it works: How flutter uses certificate authorities

Flutter apps in contrast to general approch embeds CAs (Certificate Authority) right into the app and do not rely on operating system to verify the validity of an SSL certificate. At first I thought that this was “feature” of the flutter framework when I first encountered some issues with it but upon investigation I found that this part of dart language implementation.

If you want to see it yourself, you can just compile a hello world dart program with dart compile exe hello.dart and then just open hello.exe with editor of your choice. If you search for “MIID” or “BEGIN CERTIFICATE” you will find a list of embeded certificates.

Currently dart trusts 138 CAs.

Considering that flutter apps are not proxy aware by default I can assume that reasoning is to make harder MITM attacks on apps. It might help agains lazy script kiddies so I think it is a win.

First when I was investigating it I got all they keys and got metadata with openssl tool from command line by writing a script. But there is a simpler and more straitforward approach to this. If you have dart source code you can just go to ./sdk/third_party/root_certificates/certdata.pem. And if you want to check it online then you can look here:

https://github.com/dart-lang/root_certificates/blob/master/certdata.pem.

The list of trusted CA certificates is based on Mozillas’s NSS library located at: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

In the readme the note that this list is used only in “for operating systems that don’t have a supported certificate store”. So either they have not updated their documentation or I am misreading it but I couldn’t find what they mean by saying “supported certificate store”. Android and iOS both have cecurity stores but looks like dart do not support them (maybe they support only Fuchsia?).

List of CAs embedded within flutter app

Two lists bellow are just certificate metadata about eache certificate within the app. They are split into different list just to group related information and for ease of skimming.

Issuer list

Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R2
Issuer: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
Issuer: CN=GeoTrust Global CA O=GeoTrust Inc.
Issuer: CN=GeoTrust Universal CA O=GeoTrust Inc.
Issuer: CN=GeoTrust Universal CA 2 O=GeoTrust Inc.
Issuer: CN=AAA Certificate Services O=Comodo CA Limited
Issuer: CN=QuoVadis Root Certification Authority O=QuoVadis Limited OU=Root Certification Authority
Issuer: CN=QuoVadis Root CA 2 O=QuoVadis Limited
Issuer: CN=QuoVadis Root CA 3 O=QuoVadis Limited
Issuer: O=SECOM Trust.net OU=Security Communication RootCA1
Issuer: CN=Sonera Class2 CA O=Sonera
Issuer: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
Issuer: O=Government Root Certification Authority
Issuer: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DST Root CA X3 O=Digital Signature Trust Co.
Issuer: CN=SwissSign Gold CA - G2 O=SwissSign AG
Issuer: CN=SwissSign Silver CA - G2 O=SwissSign AG
Issuer: CN=GeoTrust Primary Certification Authority O=GeoTrust Inc.
Issuer: CN=thawte Primary Root CA O=thawte, Inc. OU=Certification Services Division/(c) 2006 thawte, Inc. - For authorized use only
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2006 VeriSign, Inc. - For authorized use only
Issuer: CN=SecureTrust CA O=SecureTrust Corporation
Issuer: CN=Secure Global CA O=SecureTrust Corporation
Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
Issuer: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C.
Issuer: CN=COMODO ECC Certification Authority O=COMODO CA Limited
Issuer: CN=OISTE WISeKey Global Root GA CA O=WISeKey OU=Copyright (c) 2005/OISTE Foundation Endorsed
Issuer: CN=Certigna O=Dhimyotis
Issuer: CN=Cybertrust Global Root O=Cybertrust, Inc
Issuer: O=Chunghwa Telecom Co., Ltd. OU=ePKI Root Certification Authority
Issuer: O=certSIGN OU=certSIGN ROOT CA
Issuer: CN=GeoTrust Primary Certification Authority - G3 O=GeoTrust Inc. OU=(c) 2008 GeoTrust Inc. - For authorized use only
Issuer: CN=thawte Primary Root CA - G2 O=thawte, Inc. OU=(c) 2007 thawte, Inc. - For authorized use only
Issuer: CN=thawte Primary Root CA - G3 O=thawte, Inc. OU=Certification Services Division/(c) 2008 thawte, Inc. - For authorized use only
Issuer: CN=GeoTrust Primary Certification Authority - G2 O=GeoTrust Inc. OU=(c) 2007 GeoTrust Inc. - For authorized use only
Issuer: CN=VeriSign Universal Root Certification Authority O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2008 VeriSign, Inc. - For authorized use only
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2007 VeriSign, Inc. - For authorized use only
Issuer: CN=NetLock Arany (Class Gold) Főtanúsítvány O=NetLock Kft. OU=Tanúsítványkiadók (Certification Services)
Issuer: CN=Hongkong Post Root CA 1 O=Hongkong Post
Issuer: CN=SecureSign RootCA11 O=Japan Certification Services, Inc.
Issuer: CN=Microsec e-Szigno Root CA 2009 O=Microsec Ltd.
Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R3
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Issuer: CN=Izenpe.com O=IZENPE S.A.
Issuer: CN=Chambers of Commerce Root - 2008 O=AC Camerfirma S.A.
Issuer: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A.
Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
Issuer: CN=Starfield Services Root Certificate Authority - G2 O=Starfield Technologies, Inc.
Issuer: CN=AffirmTrust Commercial O=AffirmTrust
Issuer: CN=AffirmTrust Networking O=AffirmTrust
Issuer: CN=AffirmTrust Premium O=AffirmTrust
Issuer: CN=AffirmTrust Premium ECC O=AffirmTrust
Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
Issuer: CN=TWCA Root Certification Authority O=TAIWAN-CA OU=Root CA
Issuer: O=SECOM Trust Systems CO.,LTD. OU=Security Communication RootCA2
Issuer: CN=EC-ACC O=Agencia Catalana de Certificacio (NIF Q-0801176-I) OU=Serveis Publics de Certificacio/Vegeu https://www.catcert.net/verarrel (c)03/Jerarquia Entitats de Certificacio Catalanes
Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011 O=Hellenic Academic and Research Institutions Cert. Authority
Issuer: CN=Actalis Authentication Root CA O=Actalis S.p.A./03358520967
Issuer: O=Trustis Limited OU=Trustis FPS Root CA
Issuer: CN=Buypass Class 2 Root CA O=Buypass AS-983163327
Issuer: CN=Buypass Class 3 Root CA O=Buypass AS-983163327
Issuer: CN=T-TeleSec GlobalRoot Class 3 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center
Issuer: CN=EE Certification Centre Root CA O=AS Sertifitseerimiskeskus
Issuer: CN=D-TRUST Root Class 3 CA 2 2009 O=D-Trust GmbH
Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009 O=D-Trust GmbH
Issuer: CN=CA Disig Root R2 O=Disig a.s.
Issuer: CN=ACCVRAIZ1 O=ACCV OU=PKIACCV
Issuer: CN=TWCA Global Root CA O=TAIWAN-CA OU=Root CA
Issuer: CN=TeliaSonera Root CA v1 O=TeliaSonera
Issuer: CN=E-Tugra Certification Authority O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. OU=E-Tugra Sertifikasyon Merkezi
Issuer: CN=T-TeleSec GlobalRoot Class 2 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center
Issuer: CN=Atos TrustedRoot 2011 O=Atos
Issuer: CN=QuoVadis Root CA 1 G3 O=QuoVadis Limited
Issuer: CN=QuoVadis Root CA 2 G3 O=QuoVadis Limited
Issuer: CN=QuoVadis Root CA 3 G3 O=QuoVadis Limited
Issuer: CN=DigiCert Assured ID Root G2 O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert Assured ID Root G3 O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
Issuer: CN=DigiCert Trusted Root G4 O=DigiCert Inc OU=www.digicert.com
Issuer: CN=COMODO RSA Certification Authority O=COMODO CA Limited
Issuer: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
Issuer: CN=USERTrust ECC Certification Authority O=The USERTRUST Network
Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign ECC Root CA - R4
Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign ECC Root CA - R5
Issuer: CN=Staat der Nederlanden Root CA - G3 O=Staat der Nederlanden
Issuer: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden
Issuer: CN=IdenTrust Commercial Root CA 1 O=IdenTrust
Issuer: CN=IdenTrust Public Sector Root CA 1 O=IdenTrust
Issuer: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
Issuer: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
Issuer: CN=CFCA EV ROOT O=China Financial Certification Authority
Issuer: CN=OISTE WISeKey Global Root GB CA O=WISeKey OU=OISTE Foundation Endorsed
Issuer: CN=SZAFIR ROOT CA2 O=Krajowa Izba Rozliczeniowa S.A.
Issuer: CN=Certum Trusted Network CA 2 O=Unizeto Technologies S.A. OU=Certum Certification Authority
Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015 O=Hellenic Academic and Research Institutions Cert. Authority
Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015 O=Hellenic Academic and Research Institutions Cert. Authority
Issuer: CN=ISRG Root X1 O=Internet Security Research Group
Issuer: O=FNMT-RCM OU=AC RAIZ FNMT-RCM
Issuer: CN=Amazon Root CA 1 O=Amazon
Issuer: CN=Amazon Root CA 2 O=Amazon
Issuer: CN=Amazon Root CA 3 O=Amazon
Issuer: CN=Amazon Root CA 4 O=Amazon
Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK OU=Kamu Sertifikasyon Merkezi - Kamu SM
Issuer: CN=GDCA TrustAUTH R5 ROOT O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.
Issuer: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
Issuer: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
Issuer: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
Issuer: CN=SSL.com Root Certification Authority RSA O=SSL Corporation
Issuer: CN=SSL.com Root Certification Authority ECC O=SSL Corporation
Issuer: CN=SSL.com EV Root Certification Authority RSA R2 O=SSL Corporation
Issuer: CN=SSL.com EV Root Certification Authority ECC O=SSL Corporation
Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R6
Issuer: CN=OISTE WISeKey Global Root GC CA O=WISeKey OU=OISTE Foundation Endorsed
Issuer: CN=GTS Root R1 O=Google Trust Services LLC
Issuer: CN=GTS Root R2 O=Google Trust Services LLC
Issuer: CN=GTS Root R3 O=Google Trust Services LLC
Issuer: CN=GTS Root R4 O=Google Trust Services LLC
Issuer: CN=UCA Global G2 Root O=UniTrust
Issuer: CN=UCA Extended Validation Root O=UniTrust
Issuer: CN=Certigna Root CA O=Dhimyotis OU=0002 48146308100036
Issuer: CN=emSign Root CA - G1 O=eMudhra Technologies Limited OU=emSign PKI
Issuer: CN=emSign ECC Root CA - G3 O=eMudhra Technologies Limited OU=emSign PKI
Issuer: CN=emSign Root CA - C1 O=eMudhra Inc OU=emSign PKI
Issuer: CN=emSign ECC Root CA - C3 O=eMudhra Inc OU=emSign PKI
Issuer: CN=Hongkong Post Root CA 3 O=Hongkong Post
Issuer: CN=Entrust Root Certification Authority - G4 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2015 Entrust, Inc. - for authorized use only
Issuer: CN=Microsoft ECC Root Certificate Authority 2017 O=Microsoft Corporation
Issuer: CN=Microsoft RSA Root Certificate Authority 2017 O=Microsoft Corporation
Issuer: CN=e-Szigno Root CA 2017 O=Microsec Ltd.
Issuer: O=CERTSIGN SA OU=certSIGN ROOT CA G2

Label list

Label: "GlobalSign Root CA"
Label: "GlobalSign Root CA - R2"
Label: "Entrust.net Premium 2048 Secure Server CA"
Label: "Baltimore CyberTrust Root"
Label: "Entrust Root Certification Authority"
Label: "GeoTrust Global CA"
Label: "GeoTrust Universal CA"
Label: "GeoTrust Universal CA 2"
Label: "Comodo AAA Services root"
Label: "QuoVadis Root CA"
Label: "QuoVadis Root CA 2"
Label: "QuoVadis Root CA 3"
Label: "Security Communication Root CA"
Label: "Sonera Class 2 Root CA"
Label: "XRamp Global CA Root"
Label: "Go Daddy Class 2 CA"
Label: "Starfield Class 2 CA"
Label: "Taiwan GRCA"
Label: "DigiCert Assured ID Root CA"
Label: "DigiCert Global Root CA"
Label: "DigiCert High Assurance EV Root CA"
Label: "DST Root CA X3"
Label: "SwissSign Gold CA - G2"
Label: "SwissSign Silver CA - G2"
Label: "GeoTrust Primary Certification Authority"
Label: "thawte Primary Root CA"
Label: "VeriSign Class 3 Public Primary Certification Authority - G5"
Label: "SecureTrust CA"
Label: "Secure Global CA"
Label: "COMODO Certification Authority"
Label: "Network Solutions Certificate Authority"
Label: "COMODO ECC Certification Authority"
Label: "OISTE WISeKey Global Root GA CA"
Label: "Certigna"
Label: "Cybertrust Global Root"
Label: "ePKI Root Certification Authority"
Label: "certSIGN ROOT CA"
Label: "GeoTrust Primary Certification Authority - G3"
Label: "thawte Primary Root CA - G2"
Label: "thawte Primary Root CA - G3"
Label: "GeoTrust Primary Certification Authority - G2"
Label: "VeriSign Universal Root Certification Authority"
Label: "VeriSign Class 3 Public Primary Certification Authority - G4"
Label: "NetLock Arany (Class Gold) Főtanúsítvány"
Label: "Hongkong Post Root CA 1"
Label: "SecureSign RootCA11"
Label: "Microsec e-Szigno Root CA 2009"
Label: "GlobalSign Root CA - R3"
Label: "Autoridad de Certificacion Firmaprofesional CIF A62634068"
Label: "Izenpe.com"
Label: "Chambers of Commerce Root - 2008"
Label: "Global Chambersign Root - 2008"
Label: "Go Daddy Root Certificate Authority - G2"
Label: "Starfield Root Certificate Authority - G2"
Label: "Starfield Services Root Certificate Authority - G2"
Label: "AffirmTrust Commercial"
Label: "AffirmTrust Networking"
Label: "AffirmTrust Premium"
Label: "AffirmTrust Premium ECC"
Label: "Certum Trusted Network CA"
Label: "TWCA Root Certification Authority"
Label: "Security Communication RootCA2"
Label: "EC-ACC"
Label: "Hellenic Academic and Research Institutions RootCA 2011"
Label: "Actalis Authentication Root CA"
Label: "Trustis FPS Root CA"
Label: "Buypass Class 2 Root CA"
Label: "Buypass Class 3 Root CA"
Label: "T-TeleSec GlobalRoot Class 3"
Label: "EE Certification Centre Root CA"
Label: "D-TRUST Root Class 3 CA 2 2009"
Label: "D-TRUST Root Class 3 CA 2 EV 2009"
Label: "CA Disig Root R2"
Label: "ACCVRAIZ1"
Label: "TWCA Global Root CA"
Label: "TeliaSonera Root CA v1"
Label: "E-Tugra Certification Authority"
Label: "T-TeleSec GlobalRoot Class 2"
Label: "Atos TrustedRoot 2011"
Label: "QuoVadis Root CA 1 G3"
Label: "QuoVadis Root CA 2 G3"
Label: "QuoVadis Root CA 3 G3"
Label: "DigiCert Assured ID Root G2"
Label: "DigiCert Assured ID Root G3"
Label: "DigiCert Global Root G2"
Label: "DigiCert Global Root G3"
Label: "DigiCert Trusted Root G4"
Label: "COMODO RSA Certification Authority"
Label: "USERTrust RSA Certification Authority"
Label: "USERTrust ECC Certification Authority"
Label: "GlobalSign ECC Root CA - R4"
Label: "GlobalSign ECC Root CA - R5"
Label: "Staat der Nederlanden Root CA - G3"
Label: "Staat der Nederlanden EV Root CA"
Label: "IdenTrust Commercial Root CA 1"
Label: "IdenTrust Public Sector Root CA 1"
Label: "Entrust Root Certification Authority - G2"
Label: "Entrust Root Certification Authority - EC1"
Label: "CFCA EV ROOT"
Label: "OISTE WISeKey Global Root GB CA"
Label: "SZAFIR ROOT CA2"
Label: "Certum Trusted Network CA 2"
Label: "Hellenic Academic and Research Institutions RootCA 2015"
Label: "Hellenic Academic and Research Institutions ECC RootCA 2015"
Label: "ISRG Root X1"
Label: "AC RAIZ FNMT-RCM"
Label: "Amazon Root CA 1"
Label: "Amazon Root CA 2"
Label: "Amazon Root CA 3"
Label: "Amazon Root CA 4"
Label: "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
Label: "GDCA TrustAUTH R5 ROOT"
Label: "TrustCor RootCert CA-1"
Label: "TrustCor RootCert CA-2"
Label: "TrustCor ECA-1"
Label: "SSL.com Root Certification Authority RSA"
Label: "SSL.com Root Certification Authority ECC"
Label: "SSL.com EV Root Certification Authority RSA R2"
Label: "SSL.com EV Root Certification Authority ECC"
Label: "GlobalSign Root CA - R6"
Label: "OISTE WISeKey Global Root GC CA"
Label: "GTS Root R1"
Label: "GTS Root R2"
Label: "GTS Root R3"
Label: "GTS Root R4"
Label: "UCA Global G2 Root"
Label: "UCA Extended Validation Root"
Label: "Certigna Root CA"
Label: "emSign Root CA - G1"
Label: "emSign ECC Root CA - G3"
Label: "emSign Root CA - C1"
Label: "emSign ECC Root CA - C3"
Label: "Hongkong Post Root CA 3"
Label: "Entrust Root Certification Authority - G4"
Label: "Microsoft ECC Root Certificate Authority 2017"
Label: "Microsoft RSA Root Certificate Authority 2017"
Label: "e-Szigno Root CA 2017"
Label: "certSIGN Root CA G2"