Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)

NEW
Unassigned

Status

defect
P5
normal
6 years ago
21 days ago

People

(Reporter: tomas.garciameras, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20130502 Firefox/23.0
Build ID: 20130502030939

Steps to reproduce:

There's no way to import user certificates. On desktop Firefox browsers it is done with "Tools" -> "Options" -> "Certificates" -> "View Certificates" -> "Your Certificates" -> "Import", but on Firefox for Android there is not such option.


Actual results:

It is not possible to access SSL sites with Client Authentication.


Expected results:

I should be able to import my certificate with its private key and then access SSL sites with Client Authentication.
Isn't this handled through the system? Settings → Security → Credential Store | Install from storage (install certificates from storage)
Android have an user certificates and keys store, but it isn't used by Firefox. You cannot use those certificates and keys for Client SSL with Firefox. 

Being that Firefox never uses the operating systems stores (MS-CAPI on Windows, Apple Key Chain on Mac OS X, etc.), maybe it's better to keep using just NSS and not Android's KeyStore...
Note, that Tomás filled this because they want to use Firefox and FirefoxOS (bug 868373) to use our browser to be the base plaform for the electronic administration in Spain.

Mark, who could help here? Tomás said that they could help with engineering resources.
Flags: needinfo?(mark.finkle)
It could take a while to decide on a UI for importing certificates. In the meantime, perhaps an add-on would be an acceptable way to import the certs?
Flags: needinfo?(mark.finkle)
An add-on should be a nice temporary solution. 

There is already an add-on for this (https://addons.mozilla.org/en-us/mobile/addon/cert-manager/), but it wont work with newer than Firefox 13. It should be a good start point.
Component: General → Web Apps
OS: Windows 7 → All
QA Contact: aaron.train
Hardware: x86 → All
Why is this moved to Web Apps?
This isn't related to web apps specifically. Moving back to general.
Component: Web Apps → General
QA Contact: aaron.train
Possible dupe or no?
See Also: → 964202
Summary: Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files → Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 868373
Are there any news here?
It is really painful to have to use Chrome on Android to access my company website (it requries private certificates and custom CAs).
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
Is there an WebExtensions API that can be used to mange (add/remove) the client and server certificates somehow?
I can not understand the priorty of 5 for this feature request. Client authentication is still used for many corporate websites and most browsers supply a dialog for managing the authentication tokens.

This is especially problematic after the existing plugins for managing client certificates ceased to function after the switch to WebExtensions. I have not found any hint within the WebExtensions API documentation for methods to manage client authentication certificates/keys.

Is it possible to reevaluate the classification of this bug or hint at the correct API for implementing an appropriate extension?
Flags: needinfo?(sdaswani)
I have to defer to Product on a decision here.
Flags: needinfo?(sdaswani) → needinfo?(abovens)
I doubt this is a common use case, and believe there are better ways for this than manually managing authentication tokens, but I need the Security team's input. Unsure who to NI for that. Liz, can you help out?
Flags: needinfo?(abovens) → needinfo?(lhenry)
In a corporate environment, certificate based authentication has the advantage that you can use the existing PKI infrastructure to issue and revoke the tokens for the users. And you can use the issued certificates to grant the user access to different services via TLS (even the ones that are not based on HTTP like LDAP, IMAP or even VPN services). So basic support in firefox for android would be really appreciated.

I'm absolutely aware of the privacy implications of TLS client authentication. And you're completely right, that it's not a very good option to let the user handle the certificates and keys manually. But asking for a smartcard API on android or for firefox to use the android certificate/key store so the corporate MDM (mobile device management) can enroll the user with a certificate (and key), did not seem promising to me :)
Wennie, can you or your team take a look here? Thanks!
Flags: needinfo?(lhenry) → needinfo?(wleung)

Hi J.C. please comment.

Flags: needinfo?(wleung) → needinfo?(jjones)
Duplicate of this bug: 626930

There are two options that we've thought of here:

  1. Mozilla develops a UX for managing certificates (User and CA, since there's a bug for that too) on Android. This would let us do some cleanup on the current "suggested" way of importing roots into Android via drive-by downloads.

  2. Write a PKCS11 module for NSS that exposes platform user certificates to Firefox. For this bug, we'd need Android support. But Windows and OSX support come up very regularly. Particularly for enterprise uses, this is a recurring request.

Neither is easy, at first glance, but we don't have estimates for either.

Flags: needinfo?(jjones)

Moving this bug to the GeckoView product so we can track it for Fenix. Here is the Fenix feature request: https://github.com/mozilla-mobile/fenix/issues/2286

Product: Firefox for Android → GeckoView
You need to log in before you can comment on or make changes to this bug.