Client Certificates on Android

tlussnig · August 21, 2016, 10:08am

I try to get an SSL Mutual authentification working on Android.
The problem is with < keygen>:

Chrome show high and medium grade but does not send an public key back to the server.
Firefox generate the key but does not offer an certificate management in android
Any ideas how to work around it ?

Osiris · August 21, 2016, 10:18am

What do you exactly mean with “SSL Mutual authentification”? Just ‘normal’ client authentication with certificates? Or something else?

What do you exactly mean with “<keygen>”? What implementation are you using? “High and medium grade”?

So, no, with this limited amount of information I don’t have any idea how to work around it Client authentication isn’t that difficult with Android/Apache, but I’m not sure you’re meaning that.

tlussnig · August 21, 2016, 10:58am

Yes. with mutual i mean the “normal” client authentification. Since “normaly” only the server identifys himself.
Thats why i did not use the wording normal.

<keygen> is an HTML tag that is HTML5 standard and tel the client to generate an key and send the public part together with an signed challenge.

Now there are two problems:
(1) there is no way to export/view/delete certificates in mozilla mobile.
(2) chrome show the expected GRade selection for the key but does not generate the keypair or at least does not tsend the public key back to the server.

Osiris · August 21, 2016, 12:02pm

Interesting tag.. Also:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

There is currently discussion among Web browser makers whether to keep this feature or not. Until a decision is reached, it is better to continue to consider this feature as deprecated and going away.

Chrome for Android: (Yes) [1]
[1]: Deprecated in Chrome 49.

(Also for the Desktop Chrome).

Don't know if there's an alternative.

tlussnig · August 21, 2016, 2:22pm

Hm, interesting that they like to discontinue such an essential part. I can only think that there will be more than only some stupid people that let the server generate the private key and use it if there is no browser support for client private key anymore. And only because crawler does not see the tag is no reason since it is often used inside private parts of the web that are password protected.

Osiris · August 21, 2016, 2:46pm

There’s apparently an JavaScript based alternative, named WebCrypto.

tlussnig · August 23, 2016, 9:01am

Thanks for the hint.
With WebCrypto and asn1js i was able to replace the keygen funktionalitiy for creating the certificate.

Now i try to use pkijs to build an p12 container file containing key and certificate.

Than the only question is how do i get this from the browser imported into android truststore
Without requiring the user to leave the browser.

system · September 22, 2016, 9:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.