Skip to content

[Android] Allow using installed certificates for client authentication in SslStream#103337

Merged
simonrozsival merged 13 commits intodotnet:mainfrom
simonrozsival:android-sslstream-support-keystore-privatekeyentry
Jun 19, 2024
Merged

[Android] Allow using installed certificates for client authentication in SslStream#103337
simonrozsival merged 13 commits intodotnet:mainfrom
simonrozsival:android-sslstream-support-keystore-privatekeyentry

Conversation

@simonrozsival
Copy link
Member

@simonrozsival simonrozsival commented Jun 12, 2024
edited
Loading

Closes #99874

This PR adds the possibility to use certificates with non-exportable private keys installed on an Android device for client authentication in SslStream/SocketsHttpHandler.

The inspiration for these changes comes from AppleCertificatePal where we allow passing in either SecCertificate or SecIdentity via the IntPtr constructor. The Android IntPtr constructor will now accept not only handles of java.security.cert.X509Certificate, but also of java.security.KeyStore.PrivateKeyEntry. This will allow the developer to pass in certificates with non-exportable private keys and use them for client authentication (see the linked issue for an example usage with KeyChain.ChoosePrivateKeyAlias).

To implement this feature, it is necessary to introduce new Java class net.dot.android.crypto.DotnetX509KeyManager. This will require follow-up work in the .NET for Android SDK code to adjust the ProGuard configuration (https://github.com/xamarin/xamarin-android/blob/7e67d2c241e561b05065f2a57ddf59093f74de58/src/Xamarin.Android.Build.Tasks/Resources/proguard_xamarin.cfg#L29).

As a follow-up to this PR, we should introduce new APIs to the Android.Security.KeyChain class in the dotnet/android repository. This will allow the developers to avoid using this low level IntPtr constructor.

/cc @karelz @vitek-karas @grendello @filipnavara @dotMorten

@ghost ghost added the area-System.Security label Jun 12, 2024
@simonrozsival simonrozsival marked this pull request as draft June 12, 2024 11:57
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jun 12, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 12, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 12, 2024

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 12, 2024
Open
Closed
Closed
@dotMorten
Copy link

dotMorten commented Jun 13, 2024

@simonrozsival Thank you for working on this! Very exciting. What's the easiest way for me to test this with our various PKI tests on Android?

@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 14, 2024

@dotMorten I'm not sure if there's an easy way to do it, you'll need to jump through a few hoops:

  1. build the code in this branch, you can follow https://github.com/dotnet/runtime/blob/main/docs/workflow/building/mono/README.md (alternatively I could send you the prebuilt nupkgs directly if you're OK with that, you can reach out to me via email or discord)
  2. add the local nupkg source to your MAUI app via NuGet.config
  3. follow this guide to use your locally built dev version of the runtimepack: https://github.com/xamarin/xamarin-android/blob/main/Documentation/workflow/DevelopmentTips.md?plain=1#L432
  4. use the new ctor as it's shown in the issue or in the new unit test in this PR

@simonrozsival @akoeplinger
Update src/libraries/Common/tests/TestUtilities/System/AndroidKeyStor…
35690e1 
…eHelper.cs

Co-authored-by: Alexander Köplinger <alex.koeplinger@outlook.com>
This was referenced Jun 14, 2024
Closed
Closed
Closed
Closed
Open
@dotMorten
Copy link

dotMorten commented Jun 14, 2024
edited
Loading

I tried this change, and it indeed addresses the issue for us without our test server and certificates. Nice work @simonrozsival (and thanks for helping getting it running).
🚢 it

@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 14, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 14, 2024

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 18, 2024
Open
Closed
@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 19, 2024

The failing tests in runtime-extra-platforms are known and unrelated (#103472)

akoeplinger
akoeplinger approved these changes Jun 19, 2024
View reviewed changes
Copy link
Member

@akoeplinger akoeplinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, a couple comments but I'm fine if we address them in a follow-up PR

@vcsjones vcsjones mentioned this pull request Jun 19, 2024
Merged
vcsjones
vcsjones reviewed Jun 19, 2024
View reviewed changes
@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 19, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 19, 2024

Azure Pipelines successfully started running 1 pipeline(s).

jonathanpeppers pushed a commit to dotnet/android that referenced this pull request Jun 19, 2024
@vcsjones @akoeplinger
[r8] update proguard rule to keep .NET runtime classes (#9044)
cbfb56d 
Context: dotnet/runtime#103016
Context: dotnet/runtime#103337

In dotnet/runtime we are adding a few more Java classes to assist with
.NET crypto. One was added in dotnet/runtime#103016, and another may
be added in dotnet/runtime#103337.

This PR changes ProGuard to keep all of the classes in this package
rather than individually adding them.

Co-authored-by: Alexander Köplinger <alex.koeplinger@outlook.com>
@build-analysis build-analysis bot mentioned this pull request Jun 19, 2024
Closed
@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 19, 2024

Failing runtime-extra-platforms tests are unrelated

wfurt
wfurt approved these changes Jun 19, 2024
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Would X509Certificate2.HasPrivateKey return right value?

@vcsjones
Copy link
Member

vcsjones commented Jun 19, 2024

Would X509Certificate2.HasPrivateKey return right value?

That is asserted here:

runtime/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ClientCertificates.cs

Line 222 in 49663a6

Assert.True(clientCertificate.HasPrivateKey);

And the Android X.509 PAL changes look sensible.

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AndroidCertificatePal.cs

Line 181 in 49663a6

public bool HasPrivateKey => _privateKey is not null || _keyStorePrivateKeyEntry is not null;

@simonrozsival
Copy link
Member Author

simonrozsival commented Jun 19, 2024

@wfurt yes, the AndroidCertificatePal class will return the right value whether it's created the previously existing way or the new way with KeyStore.PrivateKeyEntry.

@simonrozsival simonrozsival merged commit 83031f1 into dotnet:main Jun 19, 2024
@simonrozsival simonrozsival mentioned this pull request Jun 20, 2024
Merged
akoeplinger
akoeplinger reviewed Jun 21, 2024
View reviewed changes
...aries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.X509.cs
return encoded;
}
[LibraryImport(Libraries.AndroidCryptoNative, EntryPoint = "AndroidCryptoNative_X509IsKeyStorePrivateKeyEntry")]
[return: MarshalAs(UnmanagedType.U1)]
Copy link
Member

@akoeplinger akoeplinger Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simonrozsival the native code returns int32_t here so we should change this to UnmanagedType.Bool (4 bytes), or change the native code to use a C bool which is 1 byte. We seem to be using both variants in the Android crypto imports...

Copy link
Member

@vcsjones vcsjones Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least in the Linux and MacOS Desktop PALs, we try to use int32_t and not a C bool since there is no guarantee by the C standard that it is exactly one byte.

Copy link
Member Author

@simonrozsival simonrozsival Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, thanks for pointing that out!

Copy link
Member Author

@simonrozsival simonrozsival Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#103825

@simonrozsival simonrozsival mentioned this pull request Jun 21, 2024
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Jul 23, 2024
@karelz karelz added this to the 9.0.0 milestone Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vcsjones vcsjones vcsjones approved these changes

@akoeplinger akoeplinger akoeplinger approved these changes

@wfurt wfurt wfurt approved these changes

@bartonjs bartonjs Awaiting requested review from bartonjs

Assignees

@simonrozsival simonrozsival

Labels

area-System.Security os-android

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

Android: Installed X509 certificates can't be used with SSL authentication

6 participants

@simonrozsival @dotMorten @vcsjones @akoeplinger @wfurt @karelz