Authentication with client certificates with PhoneGap

Question

has anybody any experience with using client certificates for authentication and PhoneGap? I have a web application secured by client certificates and I now would like to access this web app using PhoneGap. The web application refuses my request because it could not authenticate me because no certificate was found. I downloaded the client certificate with data format PKCS#12 via Androids default browser but I guys it is now only stored in the browsers keystore instead of a global keystore of Android or something like this. So to summarize this:

1.) Is it possible to use client certificates for authentication on Android anyway? 2.) If yes, is it also possible with PhoneGap? 3.) If yes again, how can i accomplish it?

Thanks!

Regards, Ralf

Answer 1

Better late than never: the problem for android 4+ (at least till SDK 16) is that webview rejects client certificate authentication with SDK's hidden onReceivedClientCertRequest, which cannot be overriden.

This can be bypassed with including hidden classes to android.jar (see https://devmaze.wordpress.com/2011/01/18/using-com-android-internal-part-1-introduction/) and then compiling cordova (from https://github.com/apache/incubator-cordova-android) with overriden CordovaWebViewClient::onReceivedClientCertRequest.

I did it so that the app on init loads privatekey and certificate chain (user selects it from keychain just on first app exec). This should be done in another thread; I suspect this is the reason client cert authentication is not supported yet as main thread would wait for user to select certificate to use and/or certificate chain to be loaded, which is unacceptable.

EDIT: This was short lived: it seems there the onReceivedClientCertRequest is removed in Android 4.2 (SDK 17)

The conclusion was too quick: they just moved the functionality to WebViewClientClassicExt class, so you just need to extend CordovaWebViewClient from it and not WebViewClient, and it works for 4.2 also.