Security: Add mTLS client certificate support

[paolostivanin]

Allow users to present a client certificate for mutual TLS authentication (e.g. Cloudflare mTLS). Uses Android KeyChain API so users pick from certificates already installed on device.

Tested on my device (OnePlus 13R) with Android 16. My setup is: Cloudflare (with mTLS) -> NPM -> homelab

I've installed the opencloudApp/build/outputs/apk/qa/debug/OpenCloud_1.2.1-qa-debug.apk on my device and with this is version and the certificate selected I can browse my data, with upstream's version sync and browsing fail (as expected).

I've been using this debug apk for a few days now and I have not faced any issues.

Please note that I am NOT an Android developer, so please review the changes carefully for any mistake I might have made 😃

[guruz]

Thank you for the PR, looks small enough to merge.

However: Did you see @michaelstingl 's proposal here: https://github.com/orgs/opencloud-eu/discussions/819#discussioncomment-13102292

[paolostivanin]

hello!

Yes, I saw that discussion but as opencloud-eu/opencloud#819 (reply in thread) pointed out, this is a different use case compared to the IdP mTLS 😃

[paolostivanin]

hello :) is there any more feedback about this PR? Thanks

[guruz]

@paolostivanin I will have a look for 1.3.0 :)

[paolostivanin]

@paolostivanin I will have a look for 1.3.0 :)

thanks a lot, much appreciated 😄

[GIT-MarkBowman]

Built and sideloaded on my Samsung Galaxy S22 on Android 16; using CF Zero Trust and tunnel --> caddy --> Opencloud with Authentik OIDC. I'll post any issues I have.

[guruz]

@paolostivanin Thank you, what are the changes from before?

[paolostivanin]

@paolostivanin Thank you, what are the changes from before?

Just a rebase against latest master, I saw that there was a merge conflict.

[paolostivanin]

Did a self-review pass and pushed an amended commit (17494d509) addressing several issues I caught:

Bug fix

• Cancelling the certificate picker no longer silently clears the cert and disables mTLS in the underlying store while leaving the checkbox visually "on". Cancel is now a no-op, preserving the existing selection.

Architecture cleanups

• Single source of truth for storage: dropped the custom mtls_prefs file. enable_mtls and the alias both live in the default SharedPreferences (same store CheckBoxPreference writes to), so the two can't drift out of sync.
• SettingsSecurityViewModel no longer takes Context parameters — alias get/set/clear go through the existing SharedPreferencesProvider. Matches the pattern the rest of the security settings already use.
• Added viewModel.invalidateHttpClients() so the Fragment doesn't reach into SingleSessionManager directly.
• Converted ClientCertificateManager from Java to a Kotlin object (project convention for new code).
• HttpClient.getOkHttpClient() and invalidate() are now synchronized — closes the race window introduced by allowing invalidation from another thread.

UX

• Toggling mTLS on with no cert saved now auto-launches the picker. If the user cancels, the checkbox reverts so prefs and UI stay consistent.

Misc

• -1 port magic literal replaced with named KEYCHAIN_NO_PORT constant.
• Removed unused prefs_mtls_cert_removed string.
• Trailing newline on settings_security.xml.

Verified locally with ./gradlew :opencloudComLibrary:compileDebug* :opencloudApp:compileQaDebug* :opencloudApp:testQaDebugUnitTest - all green, existing SettingsSecurityViewModelTest still passes.

Functionality is unchanged from what I described in the PR body; still tested on my own setup (Cloudflare mTLS → NPM → homelab).

[guruz]

Thanks for updating.

Linking iOS UI (functionality not existing yet for the cert part) -> opencloud-eu/ios#59 (comment)

[paolostivanin]

hello!

small update: I reworked the mTLS part so that the client certificate is now per-account instead of a single global setting.

the old version applied the same cert to every account/host, which didn't really make much sense if you have multiple accounts on different servers. so now each account gets its own cert:

• the alias is stored in the account's AccountManager userData, so it's automatically removed together with the account
• you pick the cert at login time through the Android KeyChain picker, so you can reach a server that's behind mTLS for the initial server-check/login, before the account even exists
• you can set / change / remove the cert per account from the Manage Accounts dialog
• it's re-resolved on every request so a change takes effect right away (idle connections get evicted on change too)

I also dropped the old global mTLS toggle from Settings > Security since it's not needed anymore.

tested again on my own setup (Cloudflare mTLS -> NPM -> homelab) and everything works for me. as usual I'm NOT an Android dev, so please review carefully in case I did something silly.

[guruz]

Thank you!
I think this is mostly mergeable.

My only request would be to make the certificate setting a less promiment option (could be confusing users making them think it's mandatory or so) in the wizard, e.g. maybe hide it behind a "Connection..." label/button like in iOS. And that button would bring up the small menu like you have for Manage Accounts with just a single entry "Set client certificate".

^ And if you use the "certificate (MTLS)" there it should also be called "certificate (MTLS)" in the Manage Accounts.

Compare to wizard in iOS "Connection...":
opencloud-eu/ios#59 (comment)