Re: Client/server certificates verification support on Android platform

Thanks for the response Daniel.

AFAIK, Android has a KeyCert API, however this doesn't let you extract
private keys as such and only to perform certain cryptographic operations
on it. Guessing a bit here, this likely means that we would need to provide
an openssl engine (via libpq?) that implements certain openssl callbacks
and connects them through JNI to the android KeyCert API. This is a rather
complex integration to begin with, and one I wouldn’t blame libpq to not be
interested in.

I also can’t see the method suggested above to be super friendly to
services defined via pg_service.conf across multiple OSes; the filesystem
access for that is quite useful.

While presumed-safe locations are not bulletproof, they do have their uses
on Windows, and would definitively ease things when using libpq on Android.
When it comes to the actual use case described in this thread, I’d rather
rely on a clearly established and documented presumed-safe location logic
than doing the workaround I linked above. Both ultimately get us a workable
connection.

On Fri, Sep 19, 2025 at 5:44 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:

> > On 19 Sep 2025, at 12:18, Mathieu Pellerin <mathieu(at)opengis(dot)ch> wrote:
>
> > Would it make sense for other operating systems beyond Windows to also
> have relaxed permissions within specific application-specific folders? On
> Android, the application’s data directory would certainly match a similar
> set of secure assumptions as the OS restricts its access.
>
> FWIW, I am not a fan of the presumed-safe approach to filesystem
> locations, and
> even less so of relaxed permissions via configuration.
>
> One thing which has been discussed is to add support for vaults, like macOS
> keychain etc, as an alternative to filesystem acceess. Are there any such
> capabilities on Android which could be relied upon?
>
> --
> Daniel Gustafsson
>
>

--
[image: OG]
<https://link.bulksignature.com/4054a10b-3c19-46a2-9e27-813335d7dbdc>

*Mathieu Pellerin*
Mr. Ordinato

QField Product Owner | UX/UI Expert
Team QField
[image: email]
mathieu(at)opengis(dot)ch

[image: www]
https://opengis.ch

[image: linkedin] <https://www.linkedin.com/company/opengisch/> [image:
mastodon] <https://fosstodon.org/@opengisch> [image: github]
<https://github.com/opengisch/>