certificate chooser broken in Android 10/11

mbiebl

When trying to use the Advanced option and certificates, I’m unable to actually choose a certificate with Android 10 and 11
See the following screencasts

Android 11
davx5-certificate-android11.webm

Android 10
davx5-certificate-android10.webm

The same works on Android 9
davx5-certificate-android9.webm

rfc2822

And when there is a certificate installed? The button only calls KeyChain.choosePrivateKeyAlias as documented here: https://developer.android.com/reference/android/security/KeyChain

Maybe they have just removed the possibility to add a certificate from there?

rfc2822

Android 10 introduce some changes to this call: https://developer.android.com/work/versions/android-10#keychain_improvements

I guess it’s related to that and when there is no certificate, the popup doesn’t appear at all. Can someone test that?

mbiebl

I can confirm that.
If I install a client certificate in advance, the certificate chooser works.

mbiebl

@rfc2822 said in certificate chooser broken in Android 10/11:

I guess it’s related to that and that when there is no certificate, the popup doesn’t appear at all. Can someone test that?

What’s confusing is, that I get this flash, where a dialog appears to pop up quickly but immediately closes again. That doesn’t look right.

rfc2822

Ok thanks… at least it’s still working when there is a certificate. So DAVx5 could maybe show a message like “No certificate installed yet”, if its possible easily. Otherwise I’d leave it as it is.

mbiebl

Hm, instead of simply showing a message, would createInstallIntent() be an alternative?

Patrick Lang

@mbiebl , I have checked out this issue, it seems like this dialog is broken if no certificates are installed from API level 29 onwards, below 29 it’s still working and an install dialog is automatically shown.

Calling the createInstallIntent would only open the file browser and nothing more. If there is no certificate stored in the files, this wouldn’t help any further and the user would need optain a certificate anyway from somewhere else.
But on downloading a certificate you are asked to install it anyway, so there is not really a point why a certificate should be downloaded and not installed. Either there is a certificate installed and the user can select it - or there is no certificate installed and the user needs to obtain it somehow.
So I can think of no proper usecase for calling the createInstallIntent there. Do you see any usecase where this could be useful? Otherwise I would also say that a short message is the best way for a user feedback in this case!

mbiebl

Showing a small toast is certainly better then nothing, thanks @rfc2822

That said, I was wondering if we could get the old certificate chooser dialog back which would let one install a certificate directly. Has this functionality been removed completely?

rfc2822

@mbiebl said in certificate chooser broken in Android 10/11:

That said, I was wondering if we could get the old certificate chooser dialog back which would let one install a certificate directly. Has this functionality been removed completely?

I think they have completely moved the functionality to createInstallIntent.

@Patrick-Lang You have suggested https://gitlab.com/bitfireAT/davx5-ose/-/merge_requests/49 – Did you test whether this toast also appears when the selection is cancelled by the user? I wonder where there even is a reliable way to detect when no certificates are available.

Patrick Lang

@mbiebl said in certificate chooser broken in Android 10/11:

That said, I was wondering if we could get the old certificate chooser dialog back which would let one install a certificate directly. Has this functionality been removed completely?

I didn’t find anything that could have brought this chooser back.

However for experimental use I have tried the createInstallIntent(), I pushed the branch so you can check it out, but this branch was not meant to be merged:
https://gitlab.com/bitfireAT/davx5-ose/-/commit/a7883ee4cbcabbb0a9da38990956fa488a655d88

@Patrick-Lang You have suggested https://gitlab.com/bitfireAT/davx5-ose/-/merge_requests/49 – Did you test whether this toast also appears when the selection is cancelled by the user? I wonder where there even is a reliable way to detect when no certificates are available.

You are right, this quick check would not check if a certficate is installed, but rather if a certificate was or could be selected. So also when there are certificates but the user refused with “Deny”, the message would appear.
I understand that it’s not super clean, but also not really wrong, the message just appears when the user clicks but then can’t or denies the selection of something. (The key for me is that you actually Deny the access to the certificate, the user would not click on cancel)

Patrick Lang

@Patrick-Lang said in certificate chooser broken in Android 10/11:

https://gitlab.com/bitfireAT/davx5-ose/-/commit/a7883ee4cbcabbb0a9da38990956fa488a655d88

The approach with installIntent was now integrated as a Snackbar in the other Feature-Branch:

https://gitlab.com/bitfireAT/davx5-ose/-/commit/3b0b1f8b4298fdb66e5e15310eda45f4ce36cac9

I will delete the one from above now.

mbiebl

Thanks @Patrick-Lang
Tbh, I find this sentence in the dialog box a bit confusing

You can add a certificate from your local file storage. Would 
you like to add a certificate? Please add certificate again once 
your certificate is installed.

Patrick Lang

@mbiebl
As I said this branch was just made for experimental reasons and not meant to be put into the actual version. No further review has been made on this and the branch is already deleted.

mbiebl

Oh, ok. I thought this was going in the right direction.
Do you intend to rework and submit this as a PR at some point?

Patrick Lang

@mbiebl said in certificate chooser broken in Android 10/11:

PR

The installIntent was added in a Snackbar for now, it was already merged into dev-3.x-ose. So basically there is a compromise now where a message is displayed but still the installIntent can be started by the user. I personally wouldn’t see the need for any further improvement there.