[Enhancment] Implimented mTLS user certificate for Android #1692
+338
−47
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nection details as a read only field
…o handles TLS config and rebuild when set
…h JIT instantiation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Brief summary
Implementation of Mutual TLS support on the Android platform
Which issue is fixed?
Resolves #1419
Resolves #353
Pull Request Type
Affects Android, Both front and back end
In-depth Description
My plans as it stands is,
1. UI Selection
That was a bit of a failed investigation, the SSL handshake in mTLS pipeline should allow for the server contacted to request the client (App) to send its user cert prompting the app to pop up a dialog listing installed certificate to choose from during the connection process. This would be an ideal situation as no extra UI would be needed, if the server needs a cert the user is prompted for on automatically
Sadly documentation for mTLS heavily favours hard-coded cert and keys where the app developer provide their own server and only want verified apps to be able to communicate with their server. i have been unable to find a way of getting the process to be automated thus have fallen to the backup of getting the user to manually select a cert when setting up the server connection.
ScreenShot
2. Kotlin API
Updating the Kotlin code to use mTLS based on a pre-selected certificate is well documented, so implementing this wasn't overly difficult, the main issue is ensuring that all calls in the Kotlin code based is routed via a client that has the mTLS certificate set. While this code is mostly done i haven't been able to test it properly due to the next section.
3. VUE API
The app is split in two, Kotlin and vue, both have their own client that independently send requests to the server, after doing some research into the possibility of keeping this split and support the ability of the vue client to use mTLS certificates; it inst builtin to the client currently in use (CapacitorHTTP), although there is a plugin that can add this support, it seems its not easy to add this into the app.
So the solution i am working towards is redirecting the requests into the kotlin code via the use of a custom capacitor plugin. this will allow the vue code to detect the presence of the plugin and thus the ability to reroute request via the Kotlin. for IOS this plugin wont exists and the vue will fallback to existing clients without mTLS support.
Comment and suggestion are welcome, I'm not a native app developer, so I'm bundling through this a lot with trial and error.
How have you tested this?
TBD