public inbox for [email protected]
help / color / mirror / Atom feedRe: Client/server certificates verification support on Android platform
2+ messages / 2 participants
[nested] [flat]
* Re: Client/server certificates verification support on Android platform
@ 2025-09-19 10:44 Daniel Gustafsson <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Gustafsson @ 2025-09-19 10:44 UTC (permalink / raw)
To: Mathieu Pellerin <[email protected]>; +Cc: [email protected]
> On 19 Sep 2025, at 12:18, Mathieu Pellerin <[email protected]> wrote:
> Would it make sense for other operating systems beyond Windows to also have relaxed permissions within specific application-specific folders? On Android, the application’s data directory would certainly match a similar set of secure assumptions as the OS restricts its access.
FWIW, I am not a fan of the presumed-safe approach to filesystem locations, and
even less so of relaxed permissions via configuration.
One thing which has been discussed is to add support for vaults, like macOS
keychain etc, as an alternative to filesystem acceess. Are there any such
capabilities on Android which could be relied upon?
--
Daniel Gustafsson
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: Client/server certificates verification support on Android platform
@ 2025-10-05 09:19 Mathieu Pellerin <[email protected]>
parent: Daniel Gustafsson <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Mathieu Pellerin @ 2025-10-05 09:19 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Thanks for the response Daniel.
AFAIK, Android has a KeyCert API, however this doesn't let you extract
private keys as such and only to perform certain cryptographic operations
on it. Guessing a bit here, this likely means that we would need to provide
an openssl engine (via libpq?) that implements certain openssl callbacks
and connects them through JNI to the android KeyCert API. This is a rather
complex integration to begin with, and one I wouldn’t blame libpq to not be
interested in.
I also can’t see the method suggested above to be super friendly to
services defined via pg_service.conf across multiple OSes; the filesystem
access for that is quite useful.
While presumed-safe locations are not bulletproof, they do have their uses
on Windows, and would definitively ease things when using libpq on Android.
When it comes to the actual use case described in this thread, I’d rather
rely on a clearly established and documented presumed-safe location logic
than doing the workaround I linked above. Both ultimately get us a workable
connection.
On Fri, Sep 19, 2025 at 5:44 PM Daniel Gustafsson <[email protected]> wrote:
> > On 19 Sep 2025, at 12:18, Mathieu Pellerin <[email protected]> wrote:
>
> > Would it make sense for other operating systems beyond Windows to also
> have relaxed permissions within specific application-specific folders? On
> Android, the application’s data directory would certainly match a similar
> set of secure assumptions as the OS restricts its access.
>
> FWIW, I am not a fan of the presumed-safe approach to filesystem
> locations, and
> even less so of relaxed permissions via configuration.
>
> One thing which has been discussed is to add support for vaults, like macOS
> keychain etc, as an alternative to filesystem acceess. Are there any such
> capabilities on Android which could be relied upon?
>
> --
> Daniel Gustafsson
>
>
--
[image: OG]
<https://link.bulksignature.com/4054a10b-3c19-46a2-9e27-813335d7dbdc;
*Mathieu Pellerin*
Mr. Ordinato
QField Product Owner | UX/UI Expert
Team QField
[image: email]
[email protected]
[image: www]
https://opengis.ch
[image: linkedin] <https://www.linkedin.com/company/opengisch/; [image:
mastodon] <https://fosstodon.org/@opengisch; [image: github]
<https://github.com/opengisch/;
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2025-10-05 09:19 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-09-19 10:44 Re: Client/server certificates verification support on Android platform Daniel Gustafsson <[email protected]>
2025-10-05 09:19 ` Mathieu Pellerin <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox