Security: Add mTLS client certificate support

paolostivanin · paolostivanin · commit daf05bcf7ec6 · 2026-03-31T15:13:24.000+02:00
Allow users to present a client certificate for mutual TLS
authentication (e.g. Cloudflare mTLS). Uses Android KeyChain
API so users pick from certificates already installed on device.
diff --git a/opencloudApp/src/main/java/eu/opencloud/android/presentation/settings/security/SettingsSecurityFragment.kt b/opencloudApp/src/main/java/eu/opencloud/android/presentation/settings/security/SettingsSecurityFragment.kt
@@ -24,6 +24,7 @@ import android.app.Activity
 import android.content.DialogInterface
 import android.content.Intent
 import android.os.Bundle
+import android.security.KeyChain
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.appcompat.app.AlertDialog
 import androidx.preference.CheckBoxPreference
@@ -56,6 +57,8 @@ class SettingsSecurityFragment : PreferenceFragmentCompat() {
     private var prefLockApplication: ListPreference? = null
     private var prefLockAccessDocumentProvider: CheckBoxPreference? = null
     private var prefTouchesWithOtherVisibleWindows: CheckBoxPreference? = null
+    private var prefMtls: CheckBoxPreference? = null
+    private var prefMtlsSelectCert: Preference? = null
 
     private val enablePasscodeLauncher =
         registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { result ->
@@ -222,6 +225,62 @@ class SettingsSecurityFragment : PreferenceFragmentCompat() {
             }
             true
         }
+
+        // mTLS client certificate
+        prefMtls = findPreference(SettingsSecurityViewModel.PREFERENCE_ENABLE_MTLS)
+        prefMtlsSelectCert = findPreference(SettingsSecurityViewModel.PREFERENCE_MTLS_SELECT_CERTIFICATE)
+
+        updateMtlsCertSummary()
+
+        prefMtls?.setOnPreferenceChangeListener { _: Preference?, newValue: Any ->
+            val enabled = newValue as Boolean
+            securityViewModel.setMtlsEnabled(requireContext(), enabled)
+            if (!enabled) {
+                securityViewModel.removeAlias(requireContext())
+                updateMtlsCertSummary()
+                invalidateHttpClients()
+            }
+            true
+        }
+
+        prefMtlsSelectCert?.setOnPreferenceClickListener {
+            launchKeyChainPicker()
+            true
+        }
+    }
+
+    private fun launchKeyChainPicker() {
+        val currentAlias = securityViewModel.getSelectedAlias(requireContext())
+        KeyChain.choosePrivateKeyAlias(
+            requireActivity(),
+            { alias ->
+                activity?.runOnUiThread {
+                    if (alias != null) {
+                        securityViewModel.setSelectedAlias(requireContext(), alias)
+                        showMessageInSnackbar(getString(R.string.prefs_mtls_cert_selected))
+                    } else {
+                        securityViewModel.removeAlias(requireContext())
+                        showMessageInSnackbar(getString(R.string.prefs_mtls_cert_removed))
+                    }
+                    updateMtlsCertSummary()
+                    invalidateHttpClients()
+                }
+            },
+            null, null, null, -1, currentAlias
+        )
+    }
+
+    private fun updateMtlsCertSummary() {
+        val alias = securityViewModel.getSelectedAlias(requireContext())
+        prefMtlsSelectCert?.summary = if (alias != null) {
+            getString(R.string.prefs_mtls_select_cert_summary, alias)
+        } else {
+            getString(R.string.prefs_mtls_select_cert_summary_none)
+        }
+    }
+
+    private fun invalidateHttpClients() {
+        eu.opencloud.android.lib.common.SingleSessionManager.getDefaultSingleton().invalidateAllClients()
     }
 
     private fun enableBiometricAndLockApplication() {
diff --git a/opencloudApp/src/main/java/eu/opencloud/android/presentation/settings/security/SettingsSecurityViewModel.kt b/opencloudApp/src/main/java/eu/opencloud/android/presentation/settings/security/SettingsSecurityViewModel.kt
@@ -20,9 +20,11 @@
 
 package eu.opencloud.android.presentation.settings.security
 
+import android.content.Context
 import androidx.lifecycle.ViewModel
 import eu.opencloud.android.R
 import eu.opencloud.android.data.providers.SharedPreferencesProvider
+import eu.opencloud.android.lib.common.network.ClientCertificateManager
 import eu.opencloud.android.presentation.security.LockEnforcedType
 import eu.opencloud.android.presentation.security.LockEnforcedType.Companion.parseFromInteger
 import eu.opencloud.android.presentation.security.LockTimeout
@@ -63,4 +65,23 @@ class SettingsSecurityViewModel(
             integerKey = R.integer.lock_delay_enforced
         )
     ) != LockTimeout.DISABLED
+
+    fun setMtlsEnabled(context: Context, enabled: Boolean) {
+        ClientCertificateManager.setMtlsEnabled(context, enabled)
+    }
+
+    fun getSelectedAlias(context: Context): String? = ClientCertificateManager.getAlias(context)
+
+    fun setSelectedAlias(context: Context, alias: String) {
+        ClientCertificateManager.setAlias(context, alias)
+    }
+
+    fun removeAlias(context: Context) {
+        ClientCertificateManager.removeAlias(context)
+    }
+
+    companion object {
+        const val PREFERENCE_ENABLE_MTLS = "enable_mtls"
+        const val PREFERENCE_MTLS_SELECT_CERTIFICATE = "mtls_select_certificate"
+    }
 }
diff --git a/opencloudApp/src/main/res/values/strings.xml b/opencloudApp/src/main/res/values/strings.xml
@@ -59,6 +59,14 @@
     <string name="prefs_lock_access_from_document_provider_summary">Lock access from other apps to the files of the accounts in the app via the Android native file explorer.</string>
     <string name="prefs_touches_with_other_visible_windows">Touches with other visible windows</string>
     <string name="prefs_touches_with_other_visible_windows_summary">Allow touches when the view is obscured by another visible window. Enable it to use light filtering apps.</string>
+
+    <string name="prefs_mtls">mTLS client certificate</string>
+    <string name="prefs_mtls_summary">Present a client certificate for mutual TLS authentication</string>
+    <string name="prefs_mtls_select_cert">Select certificate</string>
+    <string name="prefs_mtls_select_cert_summary_none">No certificate selected</string>
+    <string name="prefs_mtls_select_cert_summary">Selected: %s</string>
+    <string name="prefs_mtls_cert_selected">Client certificate selected</string>
+    <string name="prefs_mtls_cert_removed">Client certificate removed</string>
     <string name="confirmation_touches_with_other_windows_title">Are you sure you want to enable this feature?</string>
     <string name="confirmation_touches_with_other_windows_message">Use this feature at your own risk. A malicious application could try to spoof you into unknowingly performing some actions, using other views.</string>
     <string name="prefs_subsection_picture_uploads">Automatic picture uploads</string>
diff --git a/opencloudApp/src/main/res/xml/settings_security.xml b/opencloudApp/src/main/res/xml/settings_security.xml
@@ -49,4 +49,16 @@
         app:summary="@string/prefs_touches_with_other_visible_windows_summary"
         app:title="@string/prefs_touches_with_other_visible_windows" />
 
+    <CheckBoxPreference
+        app:iconSpaceReserved="false"
+        app:key="enable_mtls"
+        app:summary="@string/prefs_mtls_summary"
+        app:title="@string/prefs_mtls" />
+    <Preference
+        app:dependency="enable_mtls"
+        app:iconSpaceReserved="false"
+        app:key="mtls_select_certificate"
+        app:summary="@string/prefs_mtls_select_cert_summary_none"
+        app:title="@string/prefs_mtls_select_cert" />
+
 </PreferenceScreen>
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java
@@ -205,6 +205,15 @@ public void removeClientFor(OpenCloudAccount account) {
         Timber.d("removeClientFor finishing ");
     }
 
+    public void invalidateAllClients() {
+        for (OpenCloudClient client : mClientsWithKnownUsername.values()) {
+            client.invalidate();
+        }
+        for (OpenCloudClient client : mClientsWithUnknownUsername.values()) {
+            client.invalidate();
+        }
+    }
+
     public void refreshCredentialsForAccount(String accountName, OpenCloudCredentials credentials) {
         OpenCloudClient openCloudClient = mClientsWithKnownUsername.get(accountName);
         if (openCloudClient == null) {
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java
@@ -28,6 +28,7 @@
 
 import eu.opencloud.android.lib.common.http.logging.LogInterceptor;
 import eu.opencloud.android.lib.common.network.AdvancedX509TrustManager;
+import eu.opencloud.android.lib.common.network.ClientCertificateManager;
 import eu.opencloud.android.lib.common.network.NetworkUtils;
 import okhttp3.Cookie;
 import okhttp3.CookieJar;
@@ -37,6 +38,7 @@
 import okhttp3.TlsVersion;
 import timber.log.Timber;
 
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
@@ -75,7 +77,9 @@ public OkHttpClient getOkHttpClient() {
                         NetworkUtils.getKnownServersStore(mContext));
 
                 final SSLContext sslContext = buildSSLContext();
-                sslContext.init(null, new TrustManager[]{trustManager}, null);
+
+                KeyManager[] keyManagers = ClientCertificateManager.getKeyManagers(mContext);
+                sslContext.init(keyManagers, new TrustManager[]{trustManager}, null);
                 final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
 
                 // Automatic cookie handling, NOT PERSISTENT
@@ -93,6 +97,10 @@ public OkHttpClient getOkHttpClient() {
         return mOkHttpClient;
     }
 
+    public void invalidate() {
+        mOkHttpClient = null;
+    }
+
     private SSLContext buildSSLContext() throws NoSuchAlgorithmException {
         try {
             return SSLContext.getInstance(TlsVersion.TLS_1_3.javaName());
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/network/ClientCertificateManager.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/network/ClientCertificateManager.java
@@ -0,0 +1,138 @@
+/* openCloud Android Library is available under MIT license
+ *   Copyright (C) 2026 openCloud GmbH.
+ *
+ *   Permission is hereby granted, free of charge, to any person obtaining a copy
+ *   of this software and associated documentation files (the "Software"), to deal
+ *   in the Software without restriction, including without limitation the rights
+ *   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *   copies of the Software, and to permit persons to whom the Software is
+ *   furnished to do so, subject to the following conditions:
+ *
+ *   The above copyright notice and this permission notice shall be included in
+ *   all copies or substantial portions of the Software.
+ *
+ *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ *   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ *   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ *   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ *   BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ *   ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ *   CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *   THE SOFTWARE.
+ *
+ */
+
+package eu.opencloud.android.lib.common.network;
+
+import android.content.Context;
+import android.content.SharedPreferences;
+import android.security.KeyChain;
+
+import timber.log.Timber;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.X509KeyManager;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+public class ClientCertificateManager {
+
+    private static final String PREFS_NAME = "mtls_prefs";
+    private static final String PREF_KEY_ALIAS = "key_alias";
+    private static final String PREF_MTLS_ENABLED = "mtls_enabled";
+
+    public static void setAlias(Context context, String alias) {
+        getPrefs(context).edit()
+                .putString(PREF_KEY_ALIAS, alias)
+                .putBoolean(PREF_MTLS_ENABLED, true)
+                .apply();
+    }
+
+    public static void removeAlias(Context context) {
+        getPrefs(context).edit()
+                .remove(PREF_KEY_ALIAS)
+                .putBoolean(PREF_MTLS_ENABLED, false)
+                .apply();
+    }
+
+    public static String getAlias(Context context) {
+        return getPrefs(context).getString(PREF_KEY_ALIAS, null);
+    }
+
+    public static boolean isMtlsEnabled(Context context) {
+        return getPrefs(context).getBoolean(PREF_MTLS_ENABLED, false);
+    }
+
+    public static void setMtlsEnabled(Context context, boolean enabled) {
+        getPrefs(context).edit().putBoolean(PREF_MTLS_ENABLED, enabled).apply();
+    }
+
+    public static KeyManager[] getKeyManagers(Context context) {
+        if (!isMtlsEnabled(context)) {
+            return null;
+        }
+
+        String alias = getAlias(context);
+        if (alias == null) {
+            return null;
+        }
+
+        return new KeyManager[]{new KeyChainKeyManager(context, alias)};
+    }
+
+    private static SharedPreferences getPrefs(Context context) {
+        return context.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE);
+    }
+
+    private static class KeyChainKeyManager implements X509KeyManager {
+        private final Context context;
+        private final String alias;
+
+        KeyChainKeyManager(Context context, String alias) {
+            this.context = context.getApplicationContext();
+            this.alias = alias;
+        }
+
+        @Override
+        public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+            return alias;
+        }
+
+        @Override
+        public X509Certificate[] getCertificateChain(String alias) {
+            try {
+                return KeyChain.getCertificateChain(context, alias);
+            } catch (Exception e) {
+                Timber.e(e, "Failed to get certificate chain for alias: %s", alias);
+                return null;
+            }
+        }
+
+        @Override
+        public PrivateKey getPrivateKey(String alias) {
+            try {
+                return KeyChain.getPrivateKey(context, alias);
+            } catch (Exception e) {
+                Timber.e(e, "Failed to get private key for alias: %s", alias);
+                return null;
+            }
+        }
+
+        @Override
+        public String[] getClientAliases(String keyType, Principal[] issuers) {
+            return new String[]{alias};
+        }
+
+        @Override
+        public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+            return null;
+        }
+
+        @Override
+        public String[] getServerAliases(String keyType, Principal[] issuers) {
+            return null;
+        }
+    }
+}
