Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Ability to use TLS client certificates from the system keystore #1061

Closed
valpackett opened this issue Aug 18, 2021 · 5 comments
Assignees
Milestone

Comments

@valpackett
Copy link

I already have a client certificate installed in Android's system keystore (which can be hardware-backed). It is used by e.g. Chromium-based browsers and the openHAB client. OwnTracks should be able to use it too, rather than requiring an app-specific import.

@growse
Copy link
Collaborator

growse commented Aug 19, 2021

This seems reasonable. I think there's a couple of UX questions that would need to be thought about, such as "How does the user specify a client cert that's in the system store, and which one it is".

Depending on device support, I wonder if it's worth migrating the job of client cert certificate to the OS itself, so the "choose a client cert" option just becomes a name picker for the system store. Bit of research needed.

@growse growse self-assigned this Aug 19, 2021
@growse growse added this to the v2.5 milestone Aug 30, 2021
@ahmouse15
Copy link
Contributor

@growse I think you implemented this, so you can probably close this now. I'm using a self-signed TLS certificate from my system certificate storage and its working perfectly fine

@growse
Copy link
Collaborator

growse commented Oct 25, 2021

Interesting - I did some research on this which has started leading me down the conclusion that Android has effectively severely restricted the system keystore and the way in which the user can configure it. As I understand it, users can (in recent Android versions) only add cert/key pairs for the purposes of WiFi or VPN authentication, and there's no API provided on the platform to allow other apps to be able to add, or retrieve these for their own use.

@ahmouse15 I think you're referring to being able to use a root certificate that you've imported as a trust anchor for the server that you're connecting to, whereas I think @unrelentingtech is after being able to use the cert store for client cert authentication.

More research still needed, but I think it's looking like we're not going to be able to use the system store for client certs - the APIs aren't there to do it, and that looks to be a very deliberate decision from the Android maintainers.

@valpackett
Copy link
Author

See openhab/openhab-android#232 for how openHAB implemented it.

Seems like it's KeyChain.choosePrivateKeyAlias for picking the cert, and it's passed to an SSLContext via an X509KeyManager that uses KeyChain.getPrivateKey / KeyChain.getCertificateChain.

@growse
Copy link
Collaborator

growse commented Oct 25, 2021

Thanks for pointing me in the right direction. I'll take a look to see how they're doing it.

@growse growse closed this as completed in 2be7fad Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants