Provide a way to import user certificates (with their private keys) from PKCS#12/PFX files (Firefox for Android)
Categories
(GeckoView :: General, defect, P5)
Tracking
(firefox81 affected, firefox82 affected, firefox83 affected, firefox93 affected, firefox94 affected, firefox95 affected)
People
(Reporter: tomas.garciameras, Unassigned)
References
Details
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Reporter | ||
Comment 5•11 years ago
|
||
Updated•11 years ago
|
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
Comment 8•11 years ago
|
||
Updated•11 years ago
|
Updated•10 years ago
|
Comment 9•7 years ago
|
||
Comment 10•6 years ago
|
||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Comment 19•6 years ago
|
||
There are two options that we've thought of here:
-
Mozilla develops a UX for managing certificates (User and CA, since there's a bug for that too) on Android. This would let us do some cleanup on the current "suggested" way of importing roots into Android via drive-by downloads.
-
Write a PKCS11 module for NSS that exposes platform user certificates to Firefox. For this bug, we'd need Android support. But Windows and OSX support come up very regularly. Particularly for enterprise uses, this is a recurring request.
Neither is easy, at first glance, but we don't have estimates for either.
Comment 20•5 years ago
|
||
Moving this bug to the GeckoView product so we can track it for Fenix. Here is the Fenix feature request: https://github.com/mozilla-mobile/fenix/issues/2286
Comment 21•4 years ago
|
||
¡Hola!
Ended up here researching for an answer to https://support.mozilla.org/questions/1308589
Updating flags FWIW.
¡Gracias!
Alex
Comment 22•4 years ago
|
||
Hello. I'm also add my voice, this actuality issue. My Security team's give me SSL Cert from test stand, for i test browsers on mobiles. We would to support our site on FireFox mobile, but i can't test it befor production (the internal FireFox mobile emulator not enough).
My best regards
Comment 23•4 years ago
|
||
Same here. I can't believe this is currently not possible with Firefox on Android? I'm using my own CA when developing websites, and can't install them in Firefox.
Comment hidden (offtopic) |
Comment 25•4 years ago
|
||
Me too. I'm using the certificate based authentication in my environment. I can't believe that this issue is still here for 8 years !
Comment hidden (advocacy) |
Comment hidden (advocacy) |
Comment 28•3 years ago
|
||
Support for adding trusted roots was added in Bug 1678191. See https://mozilla.github.io/geckoview/javadoc/mozilla-central/org/mozilla/geckoview/GeckoRuntimeSettings.html#setEnterpriseRootsEnabled-boolean-
Comment 29•3 years ago
|
||
Does that help with this issue? I'm still not sure how I would import my user certificate (or use the android certificate store within firefox) for authenticating to my web server.
Comment 30•3 years ago
|
||
there's definitely some confusion.
the linked bug is not related to user certificates at all.
Comment 31•3 years ago
|
||
Same question as aidan.
How do I import my user certificate (PKCS12) on Firefox Android ?
I have user (client) certificate on Android, Chrome is ok to use it to access the web site (the site verify client certificate), but Firefox Android CAN'T. So Firefox Android neither uses Android stored user certificate nor allow user to import the user certificate. The conclusion is that this issue was NOT RESOLVED.
Comment 32•3 years ago
|
||
Hello Agi and J.C. , this issue is not a duplication of bug: 1678191, they are different.
We need Firefox for Android to support client certificate authentication. The first step is that either let user import the user's certificate (i.e. client certificate) to Firefox for Android or use the user certificate stored in Android. The next step is that Firefox for Android let user to choose which client certificate to use when the web site request the client certificate from Firefox for Android. The desktop Firefox is doing well on the client certificate authentication.
A client certificate is not a CA certificate, the X509 "Basic Constraints" is "Certificate Authority: No" for a client certificate and "Certificate Authority: Yes" for a CA certificate.
Usually, user needs to provide the client certificate as a PKCS12 (.p12) format file, which packs the client certificate and its private key, while importing.
Please REOPEN this bug and provide your comments, Agi and J.C..
Thanks.
Comment 33•3 years ago
|
||
Sorry I misunderstood the scope of this bug.
Updated•3 years ago
|
Comment 34•3 years ago
|
||
I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.
Comment 35•3 years ago
|
||
(In reply to veit.guna from comment #34)
I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.
No. They are different things. Please check previous Comment #32
This issue is asking Firefox Android to support client certificate authentication. But the developer guys seem don't want to implement it. So people who need this feature change to use Chrome, Brave browsers instead.
Comment 36•3 years ago
|
||
Ah OK. Just read about the missing import functionality and overlooked client auth. Sorry for the spam then.
Comment 37•3 years ago
|
||
(In reply to veit.guna from comment #34)
I don't know if it helps you guys, but I found a nice post as a workaround for now: https://blog.jeroenhd.nl/article/firefox-for-android-using-a-custom-certificate-authority
It shows how to add a custom CA to Firefox. This worked for me like a charm.
¡Hola Veit!
Hope these lines find you well.
I get the following error when loading the given URL:
"Secure Connection Failed
An error occurred during a connection to blog.jeroenhd.nl. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Learn more…"
Can you perhaps post the workaround to https://pastebin.mozilla.org/ por favor?
¡Gracias!
Alex
Updated•3 years ago
|
Comment 38•3 years ago
|
||
Sure, try: https://pastebin.com/tNBZC9ez
Comment 39•3 years ago
|
||
The currently linked Fenix issue https://github.com/mozilla-mobile/fenix/issues/2286 seems more related to installing a CA certificate instead of a client certificate (I use terms from comment #32). https://github.com/mozilla-mobile/fenix/issues/13988 is more closer to this issue.
Comment 40•2 years ago
|
||
Just wanted to chime in here.
I need to access services that are behind an SSL proxy that validates client certificates. Importing the .p12 worked fine on Android 12, but Firefox is not utilizing that. Chrome works fine.
If I'm reading this right, there's no way to make this work with Firefox on mobile at this point, which means I've got to switch browsers.
The functionality is available on Firefox on Linux with its own management, but it would be better if it used the Android secure store like everything else.
Comment 41•2 years ago
|
||
I'm looking at unrelated issues, but I noticed nobody in this thread has mentioned the "OS Client Certs" feature introduced in FF 72, and on by default in FF 90 (on desktop). I don't know enough about the differences between desktop FF and Fenix, but maybe "osclientcerts" is the magic word that's missing here?
Comment 42•2 years ago
|
||
Using osclientcerts is also a way to address this issue. Such a module needs specific implementation for each operating system, and as far as I know there is no implementation for Android yet [1].
Chromium on Android uses KeyChain.choosePrivateKeyAlias() to prompt for a private key when needed [1]. Probably osclientcerts for Android can be implemented with that.
[1] https://searchfox.org/mozilla-central/source/security/manager/ssl/osclientcerts/src
[2] https://chromium.googlesource.com/chromium/src/+/refs/tags/103.0.5060.53/components/browser_ui/client_certificate/android/java/src/org/chromium/components/browser_ui/client_certificate/SSLClientCertificateRequest.java#210
Comment 43•2 years ago
|
||
I'm not familiar with how Fenix manages their issues/feature requests. I don't see another issue here tracking that requirement, nor do I see any mention of it on Github. I don't use the Android version much, so I don't really think I'm an appropriate "champion" for it, but if an interested party wants to open an issue (here, or there, I guess?) I would probably follow along.
Comment 44•2 years ago
|
||
A few other places mentions features that can be achieved by osclientcerts, while exact keywords are not there. You may want to follow relevant issues.
- The second approach in comment #19 in this issue
- Aforementioned https://github.com/mozilla-mobile/fenix/issues/13988, with comments about "Android OS certificate storage", "Android certificate store", etc.
Comment 45•2 years ago
|
||
Moving some cursor and key event bugs to the new GeckoView::IME component.
Comment 46•2 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #45)
Moving some cursor and key event bugs to the new GeckoView::IME component.
"Keys" here are cryptographic ones, not physical ones on the keyboard :D
Comment 47•2 years ago
|
||
This issue is not belong to "IME" component obviously.
By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?
Comment 48•2 years ago
|
||
You tagged the wrong "Chris P". I'm tagging the one who changed the component.
Chris, for your reference, this is an SSL/network security issue. Previously it had a UI requirement, but now it may not per c42 -- it may be sufficient to write a "backend" module for Android (and I guess maybe iOS?).
Comment 49•2 years ago
|
||
(In reply to Chih-Hsuan Yen [:yan12125] (UTC+8) from comment #46)
"Keys" here are cryptographic ones, not physical ones on the keyboard :D
Oops. Thanks for catching that.
(In reply to super.dukefb1 from comment #47)
By the way, what's the reason that the developers don't want to enable this feature (Client Certificate Authentication) for Firefox Android ?
Sorry. It just hasn't been a high priority.
Updated•2 years ago
|
Comment 50•1 year ago
|
||
This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.
Comment 51•1 year ago
|
||
(In reply to Alex from comment #50)
This is by no means an isolated issue on certain companies.
In Spain, the whole country uses client certificate authentication to access the "Sede Electrónica" which is the portal every Spaniard has to use to access every single gov portal, from taxes to public health.
On firefox for desktop it works fine, it asks which certificate to use, and logs in, but in android I have to switch to chrom{e,ium} in order to do anything with a gov related website, or even app, since it opens a browser to do the login.
To be fair, the method used by the gov is not the best in terms of user friendliness, but since it works on desktop, people expect it to work on android, and gets even more confused when it doesn't.
Please, raise the priority on this one to make firefox more accessible to a whole country.
Agreed completely. I also live in Spain, I also make heavy use of electronic government services using my government-issued digital certificate to authenticate myself, and this blocks me from using Firefox on my Android devices for these purposes.
Comment 52•1 year ago
|
||
Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.
Comment 53•1 year ago
|
||
(In reply to James B from comment #52)
Is the Spanish government ID issued as a downloadable certificate file (p7b or p12), or is it a smartcard? I believe Estonia was the first to issue the latter.
Both/either, it depends on status. Citizens automatically get a smartcard-enabled physical ID card with an embedded renewable manageable certificate. Non-citizen residents can register for a p12/.pfx certificate file.
The government provides an Android app to allow using the embedded certificate in the physical ID card via NFC. The p12/.pfx certificates are general certificates with private key - I use them on Windows desktop (User Certificate store), imported in to Windows Firefox, in Java apps that read the .pfx files directly, etc.
Comment 54•1 year ago
|
||
Citizens can also get the p12/pfx certificate file, which is the one I'm mainly using.
Comment 55•1 year ago
|
||
That's a really neat solution! It sounds like the most helpful thing would be to implement the "osclientcerts" backing module so that FF can pass the authentication request through to the platform.
Comment 56•1 year ago
|
||
I have been working on this bug lately, and I have made some progress - specifically, I am now able to authenticate with a client certificate on servers that use RSA-PKCS1 algorithms for encryption. To achieve that, I've made an implementation of osclientcerts backend for Android. The certificate is installed in the Android Keystore, and user can pick a matching certificate from the system dialog menu when the server requests it.
However, I've encountered a showstopper during implementation of signing data challenge using RSA-PSS. Unlike MacOS and Windows, Android RSA-PSS signature algorithms only support non-hashed data as input parameter (the hashing is done during the signature process), but data I'm getting during signature request is seems to be a SHA-256 hash.
Is there a way to get non-hashed challenge data from C_Sign in osclientcerts without breaking anything, so that I could hash and encrypt/sign it on Java side? Also, if anyone knows services that use EC keys for client certificate authentication I could use for testing - that would help me implement the EC signatures.
I would greatly appreciate any advice and collaboration.
There is a GitHub fork if you want to try/see the code for yourself: https://github.com/alongotv/gecko-dev/tree/fix/Bug_868370
Description
•