Open Bug 868370 Opened 12 years ago Updated 3 months ago

Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)

Categories

(GeckoView :: General, defect, P5)

Product:
GeckoView
Component:
General
Type:
defect

Tracking

(firefox81 affected, firefox82 affected, firefox83 affected, firefox93 affected, firefox94 affected, firefox95 affected)

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox81 --- affected
firefox82 --- affected
firefox83 --- affected
firefox93 --- affected
firefox94 --- affected
firefox95 --- affected

People

(Reporter: tomas.garciameras, Unassigned)

References

Details

(Keywords: spain)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20130502 Firefox/23.0 Build ID: 20130502030939 Steps to reproduce: There's no way to import user certificates. On desktop Firefox browsers it is done with "Tools" -> "Options" -> "Certificates" -> "View Certificates" -> "Your Certificates" -> "Import", but on Firefox for Android there is not such option. Actual results: It is not possible to access SSL sites with Client Authentication. Expected results: I should be able to import my certificate with its private key and then access SSL sites with Client Authentication.
Isn't this handled through the system? Settings → Security → Credential Store | Install from storage (install certificates from storage)
Android have an user certificates and keys store, but it isn't used by Firefox. You cannot use those certificates and keys for Client SSL with Firefox. Being that Firefox never uses the operating systems stores (MS-CAPI on Windows, Apple Key Chain on Mac OS X, etc.), maybe it's better to keep using just NSS and not Android's KeyStore...
Note, that Tomás filled this because they want to use Firefox and FirefoxOS (bug 868373) to use our browser to be the base plaform for the electronic administration in Spain. Mark, who could help here? Tomás said that they could help with engineering resources.
Flags: needinfo?(mark.finkle)
It could take a while to decide on a UI for importing certificates. In the meantime, perhaps an add-on would be an acceptable way to import the certs?
Flags: needinfo?(mark.finkle)
An add-on should be a nice temporary solution. There is already an add-on for this (https://addons.mozilla.org/en-us/mobile/addon/cert-manager/), but it wont work with newer than Firefox 13. It should be a good start point.
Component: General → Web Apps
OS: Windows 7 → All
QA Contact: aaron.train
Hardware: x86 → All
Why is this moved to Web Apps?
This isn't related to web apps specifically. Moving back to general.
Component: Web Apps → General
QA Contact: aaron.train
Possible dupe or no?
See Also: → 964202
Summary: Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files → Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 868373
Are there any news here? It is really painful to have to use Chrome on Android to access my company website (it requries private certificates and custom CAs).
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195 Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
Is there an WebExtensions API that can be used to mange (add/remove) the client and server certificates somehow?
I can not understand the priorty of 5 for this feature request. Client authentication is still used for many corporate websites and most browsers supply a dialog for managing the authentication tokens. This is especially problematic after the existing plugins for managing client certificates ceased to function after the switch to WebExtensions. I have not found any hint within the WebExtensions API documentation for methods to manage client authentication certificates/keys. Is it possible to reevaluate the classification of this bug or hint at the correct API for implementing an appropriate extension?
Flags: needinfo?(sdaswani)
I have to defer to Product on a decision here.
Flags: needinfo?(sdaswani) → needinfo?(abovens)
I doubt this is a common use case, and believe there are better ways for this than manually managing authentication tokens, but I need the Security team's input. Unsure who to NI for that. Liz, can you help out?
Flags: needinfo?(abovens) → needinfo?(lhenry)
In a corporate environment, certificate based authentication has the advantage that you can use the existing PKI infrastructure to issue and revoke the tokens for the users. And you can use the issued certificates to grant the user access to different services via TLS (even the ones that are not based on HTTP like LDAP, IMAP or even VPN services). So basic support in firefox for android would be really appreciated. I'm absolutely aware of the privacy implications of TLS client authentication. And you're completely right, that it's not a very good option to let the user handle the certificates and keys manually. But asking for a smartcard API on android or for firefox to use the android certificate/key store so the corporate MDM (mobile device management) can enroll the user with a certificate (and key), did not seem promising to me :)
Wennie, can you or your team take a look here? Thanks!
Flags: needinfo?(lhenry) → needinfo?(wleung)

Hi J.C. please comment.

Flags: needinfo?(wleung) → needinfo?(jjones)

There are two options that we've thought of here:

  1. Mozilla develops a UX for managing certificates (User and CA, since there's a bug for that too) on Android. This would let us do some cleanup on the current "suggested" way of importing roots into Android via drive-by downloads.

  2. Write a PKCS11 module for NSS that exposes platform user certificates to Firefox. For this bug, we'd need Android support. But Windows and OSX support come up very regularly. Particularly for enterprise uses, this is a recurring request.

Neither is easy, at first glance, but we don't have estimates for either.

Flags: needinfo?(jjones)

Moving this bug to the GeckoView product so we can track it for Fenix. Here is the Fenix feature request: https://github.com/mozilla-mobile/fenix/issues/2286

Product: Firefox for Android → GeckoView
See Also: → https://github.com/mozilla-mobile/fenix/issues/2286

¡Hola!

Ended up here researching for an answer to https://support.mozilla.org/questions/1308589

Updating flags FWIW.

¡Gracias!
Alex

status-firefox81: --- → affected
status-firefox82: --- → affected
status-firefox83: --- → affected

Hello. I'm also add my voice, this actuality issue. My Security team's give me SSL Cert from test stand, for i test browsers on mobiles. We would to support our site on FireFox mobile, but i can't test it befor production (the internal FireFox mobile emulator not enough).
My best regards

Same here. I can't believe this is currently not possible with Firefox on Android? I'm using my own CA when developing websites, and can't install them in Firefox.

Me too. I'm using the certificate based authentication in my environment. I can't believe that this issue is still here for 8 years !

Support for adding trusted roots was added in Bug 1678191. See https://mozilla.github.io/geckoview/javadoc/mozilla-central/org/mozilla/geckoview/GeckoRuntimeSettings.html#setEnterpriseRootsEnabled-boolean-

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Does that help with this issue? I'm still not sure how I would import my user certificate (or use the android certificate store within firefox) for authenticating to my web server.

there's definitely some confusion.
the linked bug is not related to user certificates at all.

Same question as aidan.

How do I import my user certificate (PKCS12) on Firefox Android ?

I have user (client) certificate on Android, Chrome is ok to use it to access the web site (the site verify client certificate), but Firefox Android CAN'T. So Firefox Android neither uses Android stored user certificate nor allow user to import the user certificate. The conclusion is that this issue was NOT RESOLVED.

Hello Agi and J.C. , this issue is not a duplication of bug: 1678191, they are different.

We need Firefox for Android to support client certificate authentication. The first step is that either let user import the user's certificate (i.e. client certificate) to Firefox for Android or use the user certificate stored in Android. The next step is that Firefox for Android let user to choose which client certificate to use when the web site request the client certificate from Firefox for Android. The desktop Firefox is doing well on the client certificate authentication.

A client certificate is not a CA certificate, the X509 "Basic Constraints" is "Certificate Authority: No" for a client certificate and "Certificate Authority: Yes" for a CA certificate.

Usually, user needs to provide the client certificate as a PKCS12 (.p12) format file, which packs the client certificate and its private key, while importing.

Please REOPEN this bug and provide your comments, Agi and J.C..

Thanks.

Flags: needinfo?(jc)
Flags: needinfo?(agi)

Sorry I misunderstood the scope of this bug.

Flags: needinfo?(jc)
Flags: needinfo?(agi)
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

(In reply to veit.guna from comment #34)

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

No. They are different things. Please check previous Comment #32

This issue is asking Firefox Android to support client certificate authentication. But the developer guys seem don't want to implement it. So people who need this feature change to use Chrome, Brave browsers instead.

Ah OK. Just read about the missing import functionality and overlooked client auth. Sorry for the spam then.

(In reply to veit.guna from comment #34)

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

¡Hola Veit!

Hope these lines find you well.

I get the following error when loading the given URL:

"Secure Connection Failed

An error occurred during a connection to blog.jeroenhd.nl. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…"

Can you perhaps post the workaround to https://pastebin.mozilla.org/ por favor?

¡Gracias!
Alex

The currently linked Fenix issue https://github.com/mozilla-mobile/fenix/issues/2286 seems more related to installing a CA certificate instead of a client certificate (I use terms from comment #32). https://github.com/mozilla-mobile/fenix/issues/13988 is more closer to this issue.

Just wanted to chime in here.

I need to access services that are behind an SSL proxy that validates client certificates. Importing the .p12 worked fine on Android 12, but Firefox is not utilizing that. Chrome works fine.

If I'm reading this right, there's no way to make this work with Firefox on mobile at this point, which means I've got to switch browsers.

The functionality is available on Firefox on Linux with its own management, but it would be better if it used the Android secure store like everything else.

I'm looking at unrelated issues, but I noticed nobody in this thread has mentioned the "OS Client Certs" feature introduced in FF 72, and on by default in FF 90 (on desktop). I don't know enough about the differences between desktop FF and Fenix, but maybe "osclientcerts" is the magic word that's missing here?

Using osclientcerts is also a way to address this issue. Such a module needs specific implementation for each operating system, and as far as I know there is no implementation for Android yet [1].

Chromium on Android uses KeyChain.choosePrivateKeyAlias() to prompt for a private key when needed [1]. Probably osclientcerts for Android can be implemented with that.

[1] https://searchfox.org/mozilla-central/source/security/manager/ssl/osclientcerts/src
[2] https://chromium.googlesource.com/chromium/src/+/refs/tags/103.0.5060.53/components/browser_ui/client_certificate/android/java/src/org/chromium/components/browser_ui/client_certificate/SSLClientCertificateRequest.java#210

I'm not familiar with how Fenix manages their issues/feature requests. I don't see another issue here tracking that requirement, nor do I see any mention of it on Github. I don't use the Android version much, so I don't really think I'm an appropriate "champion" for it, but if an interested party wants to open an issue (here, or there, I guess?) I would probably follow along.

A few other places mentions features that can be achieved by osclientcerts, while exact keywords are not there. You may want to follow relevant issues.

Moving some cursor and key event bugs to the new GeckoView::IME component.

Component: General → IME

(In reply to Chris Peterson [:cpeterson] from comment #45)

Moving some cursor and key event bugs to the new GeckoView::IME component.

"Keys" here are cryptographic ones, not physical ones on the keyboard :D

This issue is not belong to "IME" component obviously.

By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?

Flags: needinfo?(wleung)
Flags: needinfo?(chrispetersen)

You tagged the wrong "Chris P". I'm tagging the one who changed the component.

Chris, for your reference, this is an SSL/network security issue. Previously it had a UI requirement, but now it may not per c42 -- it may be sufficient to write a "backend" module for Android (and I guess maybe iOS?).

Flags: needinfo?(cpeterson)

(In reply to Chih-Hsuan Yen [:yan12125] (UTC+8) from comment #46)

"Keys" here are cryptographic ones, not physical ones on the keyboard :D

Oops. Thanks for catching that.

(In reply to super.dukefb1 from comment #47)

By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?

Sorry. It just hasn't been a high priority.

Component: IME → General
Flags: needinfo?(wleung)
Flags: needinfo?(cpeterson)
Flags: needinfo?(chrispetersen)
Severity: normal → S3

This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.

(In reply to Alex from comment #50)

This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.

Agreed completely. I also live in Spain, I also make heavy use of electronic government services using my government-issued digital certificate to authenticate myself, and this blocks me from using Firefox on my Android devices for these purposes.

Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.

(In reply to James B from comment #52)

Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.

Both/either, it depends on status. Citizens automatically get a smartcard-enabled physical ID card with an embedded renewable manageable certificate. Non-citizen residents can register for a p12/.pfx certificate file.
The government provides an Android app to allow using the embedded certificate in the physical ID card via NFC. The p12/.pfx certificates are general certificates with private key - I use them on Windows desktop (User Certificate store), imported in to Windows Firefox, in Java apps that read the .pfx files directly, etc.

Citizens can also get the p12/pfx certificate file, which is the one I'm mainly using.

That's a really neat solution! It sounds like the most helpful thing would be to implement the "osclientcerts" backing module so that FF can pass the authentication request through to the platform.

I have been working on this bug lately, and I have made some progress - specifically, I am now able to authenticate with a client certificate on servers that use RSA-PKCS1 algorithms for encryption. To achieve that, I've made an implementation of osclientcerts backend for Android. The certificate is installed in the Android Keystore, and user can pick a matching certificate from the system dialog menu when the server requests it.
However, I've encountered a showstopper during implementation of signing data challenge using RSA-PSS. Unlike MacOS and Windows, Android RSA-PSS signature algorithms only support non-hashed data as input parameter (the hashing is done during the signature process), but data I'm getting during signature request is seems to be a SHA-256 hash.

Is there a way to get non-hashed challenge data from C_Sign in osclientcerts without breaking anything, so that I could hash and encrypt/sign it on Java side? Also, if anyone knows services that use EC keys for client certificate authentication I could use for testing - that would help me implement the EC signatures.
I would greatly appreciate any advice and collaboration.

There is a GitHub fork if you want to try/see the code for yourself: https://github.com/alongotv/gecko-dev/tree/fix/Bug_868370

Is there any progress being made on this issue?

There are real services out there ( as mentioned here above, for eg. all the Spanish public websites do allow you to login using a client certificate ) providing this capability, and it shocks me that Firefox is the only browser on mobile not allowing you to use this. This should be prioritized by the dev team honestly.

Thank you in advance.

The situation on this topic is dire.

There are two ways to solve this problem:

  1. Google (AOSP) to support signing hashed data with RSA-PSS in Keymaster (KeyMint) HAL

What exactly does this mean?
The certificates and private keys in Android are stored in StrongBox Keymaster,

an implementation of the Keymaster or KeyMint HAL that resides in a hardware security module-like secure element.

The purpose of StrongBox Keymaster is to keep the private keys outside the Android system to prevent leaks.
The implementation of KeyMint (Keymaster) HAL is delegated to Android device vendors,
however, its contract is still regulated by AOSP.
The contract tells vendors which algorithms and cryptographic functions KeyMint (Keymaster) HAL must support.
This makes updating the Keymaster/KeyMint implementation a very expensive feature.

Unless this ticket gets resolved, there is not much we can do.
It's about time Android catches up with iOS regarding crypthographic algorithm support, though.

  1. Somebody who works on NSS, the networking layer of Firefox, creates a gimmick which allows to
    pass unhashed data to osclientcerts when used on Android.

This potentially could break a lot of things, especially when the behavior differs between platforms, so I don't see this happening.

I have also had a discussion on how to potentially solve the RSA-PSS problem, but none of the methods worked for me.

Thanks a lot for the detailed reply.

As I can see in either case looks like some development is required, but the latter seems to be the more feasible approach.

Maybe I'm going to ask a stupid question here, as I never had a chance to look at the Firefox code, but can't we just follow the same approach Chromium is using? I mean it's FOSS, I think it doesn't use any private API and it consumed certificates you install on the phone itself. If that works, so it should the Firefox implementation no?

Or is there any kind of patent holding off the implementation based on that code logic?

Maybe I'm going to ask a stupid question here, as I never had a chance to look at the Firefox code, but can't we just follow the same approach Chromium is using?

The biggest difference between Chromium and Firefox in our context is the networking layer. Chromium uses OpenSSL, whereas Firefox uses NSS.
OpenSSL indeed can pass unhashed data to a Chromium Android App for further signing, this is why all Chromium-based browsers (should) support Mutual TLS (client certificate authentication) out of the box.

NSS assumes that the end system (e.g. Windows, MacOS, Android) supports signing hashed values, so this value is being hashed during the handshake with the server. And these systems actually do support that, excluding Android.
I have tried circumventing this approach for testing purposes, but I was unable to extract a valid unhashed value to get RSA-PSS signature working.

There is also a so-called "Raw RSA encryption" approach which Chromium uses as a fallback when RSA-PSS is unavailable (e.g. outdated system software). I have tried that too, and this approach did not work either. My steps were:

  1. Add PSS padding to hashed value from osclientcerts
  2. Use Cipher without padding (RSA/None/NoPadding) to encrypt the resulting value from pt.1

I have tried PSS padding implementation from OpenJDK.
Not an implementation from Chromium - because Chromium PSS padding algorithms rely on OpenSSL.

Keywords: spain

(In reply to Vladimir Vetrov from comment #60)
if the strategy chosen were to use Firefox's private, app-specific certificate store (rather than depending on osclientcerts), would that obviate the need for Android support of PSS? I'm curious because I've always preferred Firefox's pattern of keeping its own store, rather than relying on the underlying OS

You need to log in before you can comment on or make changes to this bug.