Implementing Support for Client Certificates (mTLS)

[ThomasMoulin-hub]

mTLS Support for Nextcloud Connection

Description

This Pull Request adds support for mutual TLS (mTLS) authentication, allowing the app to connect to Nextcloud instances hidden behind a reverse proxy that requires a client certificate.

Changes

• OkHttp Client Configuration: Enhanced OkHttpRequest to support SSL contexts with a KeyManager. It now initializes the OkHttpClient with a client certificate from the Android KeyChain when configured.
• Automatic Certificate Request: Implemented logic to detect when a secure connection fails due to a missing client certificate.
• User Interface: The app now prompts the user to select a certificate from the system's credential storage (KeyChain) only when required by the server.
• Persistence: The selected certificate alias is stored in preferences. The OkHttpClient is automatically re-initialized with the chosen certificate upon app startup (MainActivity), ensuring the user doesn't need to re-select it every time.

How to test

1. Setup a Nextcloud instance behind nginx with ssl_verify_client on.
2. Install the client .p12 certificate on the Android device.
3. Attempt to log in to the Nextcloud instance via the app.
4. The app should prompt to select a certificate.
5. After selection, the connection should succeed.
6. Restart the app; the connection should work immediately without prompting again.

Closes #126

[Copilot]

Pull request overview

This PR implements mutual TLS (mTLS) support for Nextcloud connections, allowing the app to authenticate using client certificates when connecting to Nextcloud instances behind reverse proxies that require mTLS. The implementation automatically detects when a client certificate is needed during WebView-based login and prompts the user to select a certificate from the Android KeyChain. The selected certificate is persisted in encrypted preferences and automatically loaded on app startup for use with OkHttp requests.

Changes:

• Added client certificate selection and persistence using Android KeyChain API
• Enhanced OkHttpClient initialization to support SSL contexts with client certificates
• Implemented WebView client certificate handling with automatic prompting during login

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
app/src/main/res/values/strings.xml	Added string resources for client certificate UI elements (preference titles, actions, toasts)
app/src/main/java/com/hegocre/nextcloudpasswords/utils/PreferencesManager.kt	Added methods to store and retrieve client certificate alias in encrypted preferences
app/src/main/java/com/hegocre/nextcloudpasswords/utils/OkHttpRequest.kt	Added certificate-aware SSL context initialization with thread synchronization for background loading
app/src/main/java/com/hegocre/nextcloudpasswords/ui/components/LoginView.kt	Implemented WebView client certificate request handling with KeyChain integration
app/src/main/java/com/hegocre/nextcloudpasswords/ui/activities/MainActivity.kt	Added OkHttp client initialization on app startup to persist certificate across restarts

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.