Open Bug 868370 Opened 11 years ago Updated 1 month ago

Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)

Categories

(GeckoView :: General, defect, P5)

Product:
GeckoView
Component:
General
Type:
defect

Tracking

(firefox81 affected, firefox82 affected, firefox83 affected, firefox93 affected, firefox94 affected, firefox95 affected)

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox81 --- affected
firefox82 --- affected
firefox83 --- affected
firefox93 --- affected
firefox94 --- affected
firefox95 --- affected

People

(Reporter: tomas.garciameras, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20130502 Firefox/23.0
Build ID: 20130502030939

Steps to reproduce:

There's no way to import user certificates. On desktop Firefox browsers it is done with "Tools" -> "Options" -> "Certificates" -> "View Certificates" -> "Your Certificates" -> "Import", but on Firefox for Android there is not such option.


Actual results:

It is not possible to access SSL sites with Client Authentication.


Expected results:

I should be able to import my certificate with its private key and then access SSL sites with Client Authentication.
Isn't this handled through the system? Settings → Security → Credential Store | Install from storage (install certificates from storage)
Android have an user certificates and keys store, but it isn't used by Firefox. You cannot use those certificates and keys for Client SSL with Firefox. 

Being that Firefox never uses the operating systems stores (MS-CAPI on Windows, Apple Key Chain on Mac OS X, etc.), maybe it's better to keep using just NSS and not Android's KeyStore...
Note, that Tomás filled this because they want to use Firefox and FirefoxOS (bug 868373) to use our browser to be the base plaform for the electronic administration in Spain.

Mark, who could help here? Tomás said that they could help with engineering resources.
Flags: needinfo?(mark.finkle)
It could take a while to decide on a UI for importing certificates. In the meantime, perhaps an add-on would be an acceptable way to import the certs?
Flags: needinfo?(mark.finkle)
An add-on should be a nice temporary solution. 

There is already an add-on for this (https://addons.mozilla.org/en-us/mobile/addon/cert-manager/), but it wont work with newer than Firefox 13. It should be a good start point.
Component: General → Web Apps
OS: Windows 7 → All
QA Contact: aaron.train
Hardware: x86 → All
Why is this moved to Web Apps?
This isn't related to web apps specifically. Moving back to general.
Component: Web Apps → General
QA Contact: aaron.train
Possible dupe or no?
See Also: → 964202
Summary: Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files → Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 868373
Are there any news here?
It is really painful to have to use Chrome on Android to access my company website (it requries private certificates and custom CAs).
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
Is there an WebExtensions API that can be used to mange (add/remove) the client and server certificates somehow?
I can not understand the priorty of 5 for this feature request. Client authentication is still used for many corporate websites and most browsers supply a dialog for managing the authentication tokens.

This is especially problematic after the existing plugins for managing client certificates ceased to function after the switch to WebExtensions. I have not found any hint within the WebExtensions API documentation for methods to manage client authentication certificates/keys.

Is it possible to reevaluate the classification of this bug or hint at the correct API for implementing an appropriate extension?
Flags: needinfo?(sdaswani)
I have to defer to Product on a decision here.
Flags: needinfo?(sdaswani) → needinfo?(abovens)
I doubt this is a common use case, and believe there are better ways for this than manually managing authentication tokens, but I need the Security team's input. Unsure who to NI for that. Liz, can you help out?
Flags: needinfo?(abovens) → needinfo?(lhenry)
In a corporate environment, certificate based authentication has the advantage that you can use the existing PKI infrastructure to issue and revoke the tokens for the users. And you can use the issued certificates to grant the user access to different services via TLS (even the ones that are not based on HTTP like LDAP, IMAP or even VPN services). So basic support in firefox for android would be really appreciated.

I'm absolutely aware of the privacy implications of TLS client authentication. And you're completely right, that it's not a very good option to let the user handle the certificates and keys manually. But asking for a smartcard API on android or for firefox to use the android certificate/key store so the corporate MDM (mobile device management) can enroll the user with a certificate (and key), did not seem promising to me :)
Wennie, can you or your team take a look here? Thanks!
Flags: needinfo?(lhenry) → needinfo?(wleung)

Hi J.C. please comment.

Flags: needinfo?(wleung) → needinfo?(jjones)

There are two options that we've thought of here:

  1. Mozilla develops a UX for managing certificates (User and CA, since there's a bug for that too) on Android. This would let us do some cleanup on the current "suggested" way of importing roots into Android via drive-by downloads.

  2. Write a PKCS11 module for NSS that exposes platform user certificates to Firefox. For this bug, we'd need Android support. But Windows and OSX support come up very regularly. Particularly for enterprise uses, this is a recurring request.

Neither is easy, at first glance, but we don't have estimates for either.

Flags: needinfo?(jjones)

Moving this bug to the GeckoView product so we can track it for Fenix. Here is the Fenix feature request: https://github.com/mozilla-mobile/fenix/issues/2286

Product: Firefox for Android → GeckoView
See Also: → https://github.com/mozilla-mobile/fenix/issues/2286

¡Hola!

Ended up here researching for an answer to https://support.mozilla.org/questions/1308589

Updating flags FWIW.

¡Gracias!
Alex

status-firefox81: --- → affected
status-firefox82: --- → affected
status-firefox83: --- → affected

Hello. I'm also add my voice, this actuality issue. My Security team's give me SSL Cert from test stand, for i test browsers on mobiles. We would to support our site on FireFox mobile, but i can't test it befor production (the internal FireFox mobile emulator not enough).
My best regards

Same here. I can't believe this is currently not possible with Firefox on Android? I'm using my own CA when developing websites, and can't install them in Firefox.

Me too. I'm using the certificate based authentication in my environment. I can't believe that this issue is still here for 8 years !

Support for adding trusted roots was added in Bug 1678191. See https://mozilla.github.io/geckoview/javadoc/mozilla-central/org/mozilla/geckoview/GeckoRuntimeSettings.html#setEnterpriseRootsEnabled-boolean-

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Does that help with this issue? I'm still not sure how I would import my user certificate (or use the android certificate store within firefox) for authenticating to my web server.

there's definitely some confusion.
the linked bug is not related to user certificates at all.

Same question as aidan.

How do I import my user certificate (PKCS12) on Firefox Android ?

I have user (client) certificate on Android, Chrome is ok to use it to access the web site (the site verify client certificate), but Firefox Android CAN'T. So Firefox Android neither uses Android stored user certificate nor allow user to import the user certificate. The conclusion is that this issue was NOT RESOLVED.

Hello Agi and J.C. , this issue is not a duplication of bug: 1678191, they are different.

We need Firefox for Android to support client certificate authentication. The first step is that either let user import the user's certificate (i.e. client certificate) to Firefox for Android or use the user certificate stored in Android. The next step is that Firefox for Android let user to choose which client certificate to use when the web site request the client certificate from Firefox for Android. The desktop Firefox is doing well on the client certificate authentication.

A client certificate is not a CA certificate, the X509 "Basic Constraints" is "Certificate Authority: No" for a client certificate and "Certificate Authority: Yes" for a CA certificate.

Usually, user needs to provide the client certificate as a PKCS12 (.p12) format file, which packs the client certificate and its private key, while importing.

Please REOPEN this bug and provide your comments, Agi and J.C..

Thanks.

Flags: needinfo?(jc)
Flags: needinfo?(agi)

Sorry I misunderstood the scope of this bug.

Flags: needinfo?(jc)
Flags: needinfo?(agi)
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

(In reply to veit.guna from comment #34)

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

No. They are different things. Please check previous Comment #32

This issue is asking Firefox Android to support client certificate authentication. But the developer guys seem don't want to implement it. So people who need this feature change to use Chrome, Brave browsers instead.

Ah OK. Just read about the missing import functionality and overlooked client auth. Sorry for the spam then.

(In reply to veit.guna from comment #34)

I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.

¡Hola Veit!

Hope these lines find you well.

I get the following error when loading the given URL:

"Secure Connection Failed

An error occurred during a connection to blog.jeroenhd.nl. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…"

Can you perhaps post the workaround to https://pastebin.mozilla.org/ por favor?

¡Gracias!
Alex

The currently linked Fenix issue https://github.com/mozilla-mobile/fenix/issues/2286 seems more related to installing a CA certificate instead of a client certificate (I use terms from comment #32). https://github.com/mozilla-mobile/fenix/issues/13988 is more closer to this issue.

Just wanted to chime in here.

I need to access services that are behind an SSL proxy that validates client certificates. Importing the .p12 worked fine on Android 12, but Firefox is not utilizing that. Chrome works fine.

If I'm reading this right, there's no way to make this work with Firefox on mobile at this point, which means I've got to switch browsers.

The functionality is available on Firefox on Linux with its own management, but it would be better if it used the Android secure store like everything else.

I'm looking at unrelated issues, but I noticed nobody in this thread has mentioned the "OS Client Certs" feature introduced in FF 72, and on by default in FF 90 (on desktop). I don't know enough about the differences between desktop FF and Fenix, but maybe "osclientcerts" is the magic word that's missing here?

Using osclientcerts is also a way to address this issue. Such a module needs specific implementation for each operating system, and as far as I know there is no implementation for Android yet [1].

Chromium on Android uses KeyChain.choosePrivateKeyAlias() to prompt for a private key when needed [1]. Probably osclientcerts for Android can be implemented with that.

[1] https://searchfox.org/mozilla-central/source/security/manager/ssl/osclientcerts/src
[2] https://chromium.googlesource.com/chromium/src/+/refs/tags/103.0.5060.53/components/browser_ui/client_certificate/android/java/src/org/chromium/components/browser_ui/client_certificate/SSLClientCertificateRequest.java#210

I'm not familiar with how Fenix manages their issues/feature requests. I don't see another issue here tracking that requirement, nor do I see any mention of it on Github. I don't use the Android version much, so I don't really think I'm an appropriate "champion" for it, but if an interested party wants to open an issue (here, or there, I guess?) I would probably follow along.

A few other places mentions features that can be achieved by osclientcerts, while exact keywords are not there. You may want to follow relevant issues.

Moving some cursor and key event bugs to the new GeckoView::IME component.

Component: General → IME

(In reply to Chris Peterson [:cpeterson] from comment #45)

Moving some cursor and key event bugs to the new GeckoView::IME component.

"Keys" here are cryptographic ones, not physical ones on the keyboard :D

This issue is not belong to "IME" component obviously.

By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?

Flags: needinfo?(wleung)
Flags: needinfo?(chrispetersen)

You tagged the wrong "Chris P". I'm tagging the one who changed the component.

Chris, for your reference, this is an SSL/network security issue. Previously it had a UI requirement, but now it may not per c42 -- it may be sufficient to write a "backend" module for Android (and I guess maybe iOS?).

Flags: needinfo?(cpeterson)

(In reply to Chih-Hsuan Yen [:yan12125] (UTC+8) from comment #46)

"Keys" here are cryptographic ones, not physical ones on the keyboard :D

Oops. Thanks for catching that.

(In reply to super.dukefb1 from comment #47)

By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?

Sorry. It just hasn't been a high priority.

Component: IME → General
Flags: needinfo?(wleung)
Flags: needinfo?(cpeterson)
Flags: needinfo?(chrispetersen)
Severity: normal → S3

This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.

(In reply to Alex from comment #50)

This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.

Agreed completely. I also live in Spain, I also make heavy use of electronic government services using my government-issued digital certificate to authenticate myself, and this blocks me from using Firefox on my Android devices for these purposes.

Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.

(In reply to James B from comment #52)

Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.

Both/either, it depends on status. Citizens automatically get a smartcard-enabled physical ID card with an embedded renewable manageable certificate. Non-citizen residents can register for a p12/.pfx certificate file.
The government provides an Android app to allow using the embedded certificate in the physical ID card via NFC. The p12/.pfx certificates are general certificates with private key - I use them on Windows desktop (User Certificate store), imported in to Windows Firefox, in Java apps that read the .pfx files directly, etc.

Citizens can also get the p12/pfx certificate file, which is the one I'm mainly using.

That's a really neat solution! It sounds like the most helpful thing would be to implement the "osclientcerts" backing module so that FF can pass the authentication request through to the platform.

I have been working on this bug lately, and I have made some progress - specifically, I am now able to authenticate with a client certificate on servers that use RSA-PKCS1 algorithms for encryption. To achieve that, I've made an implementation of osclientcerts backend for Android. The certificate is installed in the Android Keystore, and user can pick a matching certificate from the system dialog menu when the server requests it.
However, I've encountered a showstopper during implementation of signing data challenge using RSA-PSS. Unlike MacOS and Windows, Android RSA-PSS signature algorithms only support non-hashed data as input parameter (the hashing is done during the signature process), but data I'm getting during signature request is seems to be a SHA-256 hash.

Is there a way to get non-hashed challenge data from C_Sign in osclientcerts without breaking anything, so that I could hash and encrypt/sign it on Java side? Also, if anyone knows services that use EC keys for client certificate authentication I could use for testing - that would help me implement the EC signatures.
I would greatly appreciate any advice and collaboration.

There is a GitHub fork if you want to try/see the code for yourself: https://github.com/alongotv/gecko-dev/tree/fix/Bug_868370

You need to log in before you can comment on or make changes to this bug.