Support specifying a client certificate for mTLS auth (#458)

* feat: collect and save client certificate * feat: use client certificate for Retrofit, Glide and ExoPlayer --------- Co-authored-by: eddyizm <eddyizm@gmail.com>
2026-04-15 08:17:26 +00:00 · 2026-02-27 06:20:01 +01:00 · 2026-02-27 06:20:01 +01:00 · aa5d0f92db
commit aa5d0f92db
parent 3ba2255205
12 changed files with 1335 additions and 10 deletions
--- a/app/schemas/com.cappielloantonio.tempo.database.AppDatabase/14.json
+++ b/app/schemas/com.cappielloantonio.tempo.database.AppDatabase/14.json
--- a/app/src/main/java/com/cappielloantonio/tempo/App.java
+++ b/app/src/main/java/com/cappielloantonio/tempo/App.java
@ -11,6 +11,7 @@ import com.cappielloantonio.tempo.github.Github;
 import com.cappielloantonio.tempo.helper.ThemeHelper;
 import com.cappielloantonio.tempo.subsonic.Subsonic;
 import com.cappielloantonio.tempo.subsonic.SubsonicPreferences;
+import com.cappielloantonio.tempo.util.ClientCertManager;
 import com.cappielloantonio.tempo.util.Preferences;

 public class App extends Application {
@ -31,6 +32,8 @@ public class App extends Application {
        instance = new App();
        context = getApplicationContext();
        preferences = PreferenceManager.getDefaultSharedPreferences(context);
+
+        ClientCertManager.setupSslSocketFactory(context);
    }

    public static App getInstance() {
--- a/app/src/main/java/com/cappielloantonio/tempo/database/AppDatabase.java
+++ b/app/src/main/java/com/cappielloantonio/tempo/database/AppDatabase.java
@ -30,9 +30,13 @@ import com.cappielloantonio.tempo.subsonic.models.Playlist;

@UnstableApi
@Database(
-        version = 13,
+        version = 14,
        entities = {Queue.class, Server.class, RecentSearch.class, Download.class, Chronology.class, Favorite.class, SessionMediaItem.class, Playlist.class, LyricsCache.class},
-        autoMigrations = {@AutoMigration(from = 10, to = 11), @AutoMigration(from = 11, to = 12)}
+        autoMigrations = {
+                @AutoMigration(from = 10, to = 11),
+                @AutoMigration(from = 11, to = 12),
+                @AutoMigration(from = 13, to = 14),
+        }
 )
@TypeConverters({DateConverters.class})
 public abstract class AppDatabase extends RoomDatabase {
--- a/app/src/main/java/com/cappielloantonio/tempo/model/Server.kt
+++ b/app/src/main/java/com/cappielloantonio/tempo/model/Server.kt
@ -2,7 +2,6 @@ package com.cappielloantonio.tempo.model

 import android.os.Parcelable
 import androidx.annotation.Keep
-import androidx.annotation.Nullable
 import androidx.room.ColumnInfo
 import androidx.room.Entity
 import androidx.room.PrimaryKey
@ -35,5 +34,8 @@ data class Server(
    val timestamp: Long,

    @ColumnInfo(name = "low_security", defaultValue = "false")
-    val isLowSecurity: Boolean
+    val isLowSecurity: Boolean,
+
+    @ColumnInfo(name = "client_cert")
+    val clientCert: String?,
 ) : Parcelable
--- a/app/src/main/java/com/cappielloantonio/tempo/subsonic/RetrofitClient.kt
+++ b/app/src/main/java/com/cappielloantonio/tempo/subsonic/RetrofitClient.kt
@ -3,6 +3,7 @@ package com.cappielloantonio.tempo.subsonic
 import com.cappielloantonio.tempo.App
 import com.cappielloantonio.tempo.subsonic.utils.CacheUtil
 import com.cappielloantonio.tempo.subsonic.utils.EmptyDateTypeAdapter
+import com.cappielloantonio.tempo.util.ClientCertManager
 import com.google.gson.GsonBuilder
 import okhttp3.Cache
 import okhttp3.OkHttpClient
@ -13,7 +14,7 @@ import java.util.Date
 import java.util.concurrent.TimeUnit

 class RetrofitClient(subsonic: Subsonic) {
-    var retrofit: Retrofit
+    val retrofit: Retrofit

    init {
        val gson = GsonBuilder()
@ -50,6 +51,7 @@ class RetrofitClient(subsonic: Subsonic) {
            .addInterceptor(cacheUtil.offlineInterceptor)
            // .addNetworkInterceptor(cacheUtil.onlineInterceptor)
            .cache(getCache())
+            .setupSsl()
            .build()
    }

@ -63,4 +65,11 @@ class RetrofitClient(subsonic: Subsonic) {
        val cacheSize = 10 * 1024 * 1024
        return Cache(App.getContext().cacheDir, cacheSize.toLong())
    }
+
+    private fun OkHttpClient.Builder.setupSsl(): OkHttpClient.Builder {
+        ClientCertManager.sslSocketFactory?.let { sslSocketFactory ->
+            sslSocketFactory(sslSocketFactory, ClientCertManager.trustManager)
+        }
+        return this
+    }
 }
--- a/app/src/main/java/com/cappielloantonio/tempo/ui/activity/MainActivity.java
+++ b/app/src/main/java/com/cappielloantonio/tempo/ui/activity/MainActivity.java
@ -2,7 +2,9 @@ package com.cappielloantonio.tempo.ui.activity;

 import android.content.Context;
 import android.content.Intent;
+import android.content.IntentFilter;
 import android.content.res.Configuration;
+import android.graphics.Rect;
 import android.content.IntentFilter;
 import android.net.ConnectivityManager;
 import android.net.NetworkInfo;
@ -24,8 +26,8 @@ import androidx.fragment.app.FragmentManager;
 import androidx.lifecycle.ViewModelProvider;
 import androidx.media3.common.MediaItem;
 import androidx.media3.common.MediaMetadata;
-import androidx.media3.common.Player;
 import androidx.media3.common.MimeTypes;
+import androidx.media3.common.Player;
 import androidx.media3.common.util.UnstableApi;
 import androidx.navigation.NavController;
 import androidx.navigation.fragment.NavHostFragment;
@ -448,6 +450,7 @@ public class MainActivity extends BaseActivity {
        Preferences.setServer(null);
        Preferences.setLocalAddress(null);
        Preferences.setUser(null);
+        Preferences.setClientCert(null);

        // TODO Enter all settings to be reset
        Preferences.setOpenSubsonic(false);
--- a/app/src/main/java/com/cappielloantonio/tempo/ui/dialog/ServerSignupDialog.java
+++ b/app/src/main/java/com/cappielloantonio/tempo/ui/dialog/ServerSignupDialog.java
@ -2,8 +2,8 @@ package com.cappielloantonio.tempo.ui.dialog;

 import android.app.Dialog;
 import android.os.Bundle;
+import android.security.KeyChain;
 import android.text.TextUtils;
-import android.view.View;
 import android.widget.Toast;

 import androidx.annotation.NonNull;
@ -32,11 +32,21 @@ public class ServerSignupDialog extends DialogFragment {
    private String server;
    private String localAddress;
    private boolean lowSecurity = false;
+    private String clientCertAlias;

    @NonNull
    @Override
    public Dialog onCreateDialog(Bundle savedInstanceState) {
        bind = DialogServerSignupBinding.inflate(getLayoutInflater());
+        bind.clientCertTextView.setOnClickListener(v -> {
+            if (TextUtils.isEmpty(bind.clientCertTextView.getText())) {
+                KeyChain.choosePrivateKeyAlias(requireActivity(), alias -> {
+                    bind.clientCertTextView.setText(alias);
+                }, null, null, null, null);
+            } else {
+                bind.clientCertTextView.setText(null);
+            }
+        });

        loginViewModel = new ViewModelProvider(requireActivity()).get(LoginViewModel.class);

@ -74,6 +84,7 @@ public class ServerSignupDialog extends DialogFragment {
                bind.serverTextView.setText(loginViewModel.getServerToEdit().getAddress());
                bind.localAddressTextView.setText(loginViewModel.getServerToEdit().getLocalAddress());
                bind.lowSecurityCheckbox.setChecked(loginViewModel.getServerToEdit().isLowSecurity());
+                bind.clientCertTextView.setText(loginViewModel.getServerToEdit().getClientCert());
            }
        } else {
            loginViewModel.setServerToEdit(null);
@ -106,6 +117,7 @@ public class ServerSignupDialog extends DialogFragment {
        server = bind.serverTextView.getText() != null && !bind.serverTextView.getText().toString().trim().isBlank() ? bind.serverTextView.getText().toString().trim() : null;
        localAddress = bind.localAddressTextView.getText() != null && !bind.localAddressTextView.getText().toString().trim().isBlank() ? bind.localAddressTextView.getText().toString().trim() : null;
        lowSecurity = bind.lowSecurityCheckbox.isChecked();
+        clientCertAlias = bind.clientCertTextView.getText() != null && !bind.clientCertTextView.getText().toString().trim().isBlank() ? bind.clientCertTextView.getText().toString().trim() : null;

        if (TextUtils.isEmpty(serverName)) {
            bind.serverNameTextView.setError(getString(R.string.error_required));
@ -137,6 +149,6 @@ public class ServerSignupDialog extends DialogFragment {

    private void saveServerPreference() {
        String serverID = loginViewModel.getServerToEdit() != null ? loginViewModel.getServerToEdit().getServerId() : UUID.randomUUID().toString();
-        loginViewModel.addServer(new Server(serverID, this.serverName, this.username, this.password, this.server, this.localAddress, System.currentTimeMillis(), this.lowSecurity));
+        loginViewModel.addServer(new Server(serverID, this.serverName, this.username, this.password, this.server, this.localAddress, System.currentTimeMillis(), this.lowSecurity, this.clientCertAlias));
    }
 }
--- a/app/src/main/java/com/cappielloantonio/tempo/ui/fragment/LoginFragment.java
+++ b/app/src/main/java/com/cappielloantonio/tempo/ui/fragment/LoginFragment.java
@ -117,7 +117,7 @@ public class LoginFragment extends Fragment implements ClickCallback {
    @Override
    public void onServerClick(Bundle bundle) {
        Server server = bundle.getParcelable("server_object");
-        saveServerPreference(server.getServerId(), server.getAddress(), server.getLocalAddress(), server.getUsername(), server.getPassword(), server.isLowSecurity());
+        saveServerPreference(server.getServerId(), server.getAddress(), server.getLocalAddress(), server.getUsername(), server.getPassword(), server.isLowSecurity(), server.getClientCert());

        SystemRepository systemRepository = new SystemRepository();
        systemRepository.checkUserCredential(new SystemCallback() {
@ -142,13 +142,14 @@ public class LoginFragment extends Fragment implements ClickCallback {
        dialog.show(activity.getSupportFragmentManager(), null);
    }

-    private void saveServerPreference(String serverId, String server, String localAddress, String user, String password, boolean isLowSecurity) {
+    private void saveServerPreference(String serverId, String server, String localAddress, String user, String password, boolean isLowSecurity, String clientCert) {
        Preferences.setServerId(serverId);
        Preferences.setServer(server);
        Preferences.setLocalAddress(localAddress);
        Preferences.setUser(user);
        Preferences.setPassword(password);
        Preferences.setLowSecurity(isLowSecurity);
+        Preferences.setClientCert(clientCert);

        App.getSubsonicClientInstance(true);
    }
@ -161,6 +162,7 @@ public class LoginFragment extends Fragment implements ClickCallback {
        Preferences.setToken(null);
        Preferences.setSalt(null);
        Preferences.setLowSecurity(false);
+        Preferences.setClientCert(null);

        App.getSubsonicClientInstance(true);
    }
--- a/app/src/main/java/com/cappielloantonio/tempo/util/ClientCertManager.kt
+++ b/app/src/main/java/com/cappielloantonio/tempo/util/ClientCertManager.kt
@ -0,0 +1,95 @@
+package com.cappielloantonio.tempo.util
+
+import android.content.Context
+import android.security.KeyChain
+import android.util.Log
+import androidx.core.net.toUri
+import okhttp3.internal.platform.Platform
+import java.net.Socket
+import java.security.KeyManagementException
+import java.security.NoSuchAlgorithmException
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.X509KeyManager
+
+object ClientCertManager {
+
+    private const val TAG = "ClientCertManager"
+
+    val trustManager = Platform.get().platformTrustManager()
+    var sslSocketFactory: SSLSocketFactory? = null
+        private set
+
+    @JvmStatic
+    fun setupSslSocketFactory(context: Context) {
+        sslSocketFactory = createSslSocketFactory(context)
+        sslSocketFactory?.let {
+            // HttpsURLConnection is used both by:
+            // - Glide: in IPv6StringLoader
+            // - ExoPlayer: in DefaultHttpDataSource
+            HttpsURLConnection.setDefaultSSLSocketFactory(it)
+        }
+    }
+
+    private fun createSslSocketFactory(context: Context): SSLSocketFactory? {
+        return try {
+            val clientKeyManager = object : X509KeyManager {
+                override fun getClientAliases(keyType: String?, issuers: Array<Principal>?) = null
+
+                override fun chooseClientAlias(
+                    keyType: Array<String>?,
+                    issuers: Array<Principal>?,
+                    socket: Socket?
+                ): String? {
+                    val clientCert = Preferences.getClientCert() ?: return null
+                    val server = Preferences.getServer() ?: return null
+                    return if (server.toUri().host == socket?.inetAddress?.hostName) {
+                        clientCert
+                    } else null
+                }
+
+                override fun getServerAliases(keyType: String?, issuers: Array<Principal>?) = null
+
+                override fun chooseServerAlias(
+                    keyType: String?,
+                    issuers: Array<Principal>?,
+                    socket: Socket?
+                ) = null
+
+                override fun getCertificateChain(alias: String?): Array<X509Certificate>? {
+                    val clientCert = Preferences.getClientCert()
+                    return if (alias == clientCert && clientCert != null) {
+                        KeyChain.getCertificateChain(
+                            context,
+                            clientCert
+                        )
+                    } else null
+                }
+
+                override fun getPrivateKey(alias: String?): PrivateKey? {
+                    val clientCert = Preferences.getClientCert()
+                    return if (alias == clientCert && clientCert != null) {
+                        KeyChain.getPrivateKey(
+                            context,
+                            clientCert
+                        )
+                    } else null
+                }
+            }
+
+            val sslContext = SSLContext.getInstance("TLS")
+            sslContext.init(arrayOf(clientKeyManager), arrayOf(trustManager), null)
+            sslContext.socketFactory
+        } catch (e: NoSuchAlgorithmException) {
+            Log.e(TAG, "Failed setting mTLS", e)
+            null
+        } catch (e: KeyManagementException) {
+            Log.e(TAG, "Failed setting mTLS", e)
+            null
+        }
+    }
+}
--- a/app/src/main/java/com/cappielloantonio/tempo/util/Preferences.kt
+++ b/app/src/main/java/com/cappielloantonio/tempo/util/Preferences.kt
@ -16,6 +16,7 @@ object Preferences {
    private const val TOKEN = "token"
    private const val SALT = "salt"
    private const val LOW_SECURITY = "low_security"
+    private const val CLIENT_CERT = "client_cert"
    private const val BATTERY_OPTIMIZATION = "battery_optimization"
    private const val SERVER_ID = "server_id"
    private const val OPEN_SUBSONIC = "open_subsonic"
@ -173,6 +174,16 @@ object Preferences {
        App.getInstance().preferences.edit().putBoolean(LOW_SECURITY, isLowSecurity).apply()
    }

+    @JvmStatic
+    fun getClientCert(): String? {
+        return App.getInstance().preferences.getString(CLIENT_CERT, null)
+    }
+
+    @JvmStatic
+    fun setClientCert(clientCert: String?) {
+        App.getInstance().preferences.edit().putString(CLIENT_CERT, clientCert).apply()
+    }
+
    @JvmStatic
    fun getServerId(): String? {
        return App.getInstance().preferences.getString(SERVER_ID, null)
--- a/app/src/main/res/layout/dialog_server_signup.xml
+++ b/app/src/main/res/layout/dialog_server_signup.xml
@ -129,6 +129,25 @@
                android:layout_marginStart="24dp"
                android:layout_marginEnd="24dp"
                android:text="@string/server_signup_dialog_action_low_security" />
+
+            <com.google.android.material.textfield.TextInputLayout
+                style="@style/Widget.Material3.TextInputLayout.OutlinedBox"
+                android:id="@+id/client_cert_text_input_layout"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_marginStart="24dp"
+                android:layout_marginEnd="24dp"
+                android:textColorHint="?android:textColorHint">
+
+                <com.google.android.material.textfield.TextInputEditText
+                    android:id="@+id/client_cert_text_view"
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    android:focusableInTouchMode="false"
+                    android:hint="@string/server_signup_dialog_hint_client_certificate"
+                    android:inputType="textNoSuggestions"
+                    android:textCursorDrawable="@null" />
+            </com.google.android.material.textfield.TextInputLayout>
        </LinearLayout>
    </androidx.core.widget.NestedScrollView>
 </androidx.constraintlayout.widget.ConstraintLayout>
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@ -322,6 +322,7 @@
    <string name="server_signup_dialog_hint_password">Password</string>
    <string name="server_signup_dialog_hint_url">Server URL</string>
    <string name="server_signup_dialog_hint_username">Username</string>
+    <string name="server_signup_dialog_hint_client_certificate">Client certificate (optional)</string>
    <string name="server_signup_dialog_negative_button">Cancel</string>
    <string name="server_signup_dialog_neutral_button">Delete</string>
    <string name="server_signup_dialog_positive_button">Save</string>