Android: Installed X509 certificates can't be used with SSL authentication

[dotMorten]

Description

On Android when using the SocketsHttpHandler with X509 Client certificates to PKI authenticate with a server, you can only use certificates with a private key coming from a file. When using the more correct and secure way of only using certificates installed in the keychain authentication fails, because the SocketsHttpHandler wants direct access to the private key instead of using the Java APIs to authenticate.

Reproduction Steps

Reproduction steps are a little tricky since they require a server that requires PKI authentication, and a certificate installed on the users device. I'm going to assume you have this here.

           Uri uri = new Uri("https://mypkiserver/index.html");
            var handler = new SocketsHttpHandler();
            var tcs = new TaskCompletionSource<X509Certificate2>();
            Android.Security.KeyChain.ChoosePrivateKeyAlias(Platform.CurrentActivity!, response: new KeyChainAliasCallback(tcs),
                new String[] { Android.Security.Keystore.KeyProperties.KeyAlgorithmRsa, "DSA" }, // List of acceptable key types. null for any
                null,                        // issuer, null for any
                null,                        // host name of server requesting the cert, null if unavailable
                -1,                          // port of server requesting the cert, -1 if unavailable
                "");
            certificate = await tcs.Task;
            if (certificate != null)
                handler.SslOptions.ClientCertificates = new X509Certificate2Collection(certificate); 

            using var client = new HttpClient(handler);
            var response = await client.GetAsync(infoUri); //will usually throw if certificate can't be used
            response = response.EnsureSuccessStatusCode();

KeyChainAliasCallback.cs responsible for letting the user pick an installed certificate:

    public class KeyChainAliasCallback : Java.Lang.Object, Android.Security.IKeyChainAliasCallback
    {
        private readonly TaskCompletionSource<X509Certificate2?> _tcs;
        public KeyChainAliasCallback(TaskCompletionSource<X509Certificate2?> tcs)
        {
            _tcs = tcs;
        }

        void Android.Security.IKeyChainAliasCallback.Alias(string? alias)
        {
            if (alias != null)
            {
                var certificateChain = Android.Security.KeyChain.GetCertificateChain(Platform.CurrentActivity!, alias!);
                if (certificateChain != null && certificateChain.Length > 0)
                {
                    X509Certificate2 certificate = new(certificateChain[0].Handle);
                    _tcs.TrySetResult(certificate);
                }
            }
            _tcs.TrySetResult(null);
        }
    }

Expected behavior

Certificates used from the keychain where the private key isn't directly accessible will work.

Actual behavior

Fails to authenticate.

Regression?

No response

Known Workarounds

None

Configuration

No response

Other information

Related issue: #45741 (comment)

This is a blocker for larger enterprises since they can't use their secured services with the level of security they require. Using file-based certificates in-app with the full exportable private key just isn't acceptable to them.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[dotMorten]

@simonrozsival Any update on this? We have quite a few customers who are not able to use our products because they can't authenticate with their servers using device-installed certificates.

[simonrozsival]

@dotMorten I haven't had time to look into this issue yet, but I will triage it later this week.

[simonrozsival]

I looked into the current capabilities and if I understand it correctly, the way we implement client certificates in the SocketsHttpHandler/SslStream doesn't support this workflow with aliases. Maybe @elinor-fung knows more.

I also looked into how one could implement this with the AndroidMessageHandler by overriding the ConfigureKeyStore or ConfigureKeyManagerFactory and I wasn't able to get it working either. It shouldn't be hard to add support for this flow into AndroidMessageHandler though. Maybe we could do that while adding fixing dotnet/android#7274.

[dotMorten]

The AndroidMessageHandler has a number of limitations that makes it really inconvenient to use, like weird pre-authenticate issues, frequent crashes in the send request when it suddenly decides to close the socket, and based on an old Java implementation.

I would expect the certificate handling sits all the way down at the socket level which is also using the java apis, so I would expect to be able to use the installed certificates: https://github.com/dotnet/runtime/blob/b194416ea68e2d1c93a91fc7abf80eb2607b4831/src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c

[simonrozsival]

The AndroidMessageHandler has a number of limitations that makes it really inconvenient to use, like weird pre-authenticate issues, frequent crashes in the send request when it suddenly decides to close the socket, and based on an old Java implementation.

Yes, I understand why you would prefer SocketsHttpHandler over the native one.

I would expect the certificate handling sits all the way down at the socket level which is also using the java apis, so I would expect to be able to use the installed certificates: ...

You're right, there's no reason why we couldn't implement it in the Java/JNI code. The problem I see at the moment is that there isn't a good way to pass the alias all the way down to pal_sslstream.c through existing .NET APIs. I'm currently looking into ways which we could extend the implementation without introducing a new (platform specific) API.

[jonathanpeppers]

Looking at the code example above, I don't think passing a Java.Lang.Object.Handle into here would work:

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs

Line 118 in e377f16

public X509Certificate2(IntPtr handle)

Maybe it doesn't throw an exception? But this would be a handle to a Java object instance, and X509Certificate2 wouldn't know what to do with that.

Is there a way to use the X509Certificate2 byte[] or string fileName constructors instead?

[dotMorten]

@jonathanpeppers it does work. I get all the properties reporting the correct values so seems fine.
Problem with using byte[] is you'll not have the private key. That's the entire reason why we need the platform certificate which is able to handle the encryption since the certificates by design aren't exportable

[simonrozsival]

I was thinking if it might make sense to allow this constructor to be a "file path or alias" on Android. While technically it would be definitely possible, it's probably not a good idea:

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs

Line 129 in e377f16

public X509Certificate2(string fileName)

It might be better to explore if some of the X509Store APIs map to the android KeyChain more closely:

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509store.-ctor?view=net-8.0#system-security-cryptography-x509certificates-x509store-ctor(system-string-system-security-cryptography-x509certificates-storelocation)