From cde39f4c1ac0cc2e25a1143bca3725bc963eb99f Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 30 Sep 2025 16:47:42 +0200
Subject: [PATCH] android: Make a certificate alias pre-selectable in managed
 profiles

This allows associating a pre-installed certificate/key with a VPN
profile.  For instance, one locally generated on the device via
SCEP/ETS by the MDM.  It only works if the app is granted access to the
certificate/key (alias) by the MDM.

For now, users may still select a different certificate if one is
available (since this requires the certificate to be installed as
user-selectable there might not be).
---
 .../org/strongswan/android/data/ManagedVpnProfile.java     | 5 +++++
 .../main/res/values-de/strings_managed_configuration.xml   | 3 +++
 .../main/res/values-pl/strings_managed_configuration.xml   | 3 +++
 .../main/res/values-ru/strings_managed_configuration.xml   | 3 +++
 .../main/res/values-uk/strings_managed_configuration.xml   | 3 +++
 .../res/values-zh-rCN/strings_managed_configuration.xml    | 3 +++
 .../res/values-zh-rTW/strings_managed_configuration.xml    | 3 +++
 .../src/main/res/values/strings_managed_configuration.xml  | 2 ++
 .../android/app/src/main/res/xml/managed_configuration.xml | 7 +++++++
 9 files changed, 32 insertions(+)

diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java b/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java
index 47e85a5ca9..dfe519a23c 100644
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java
@@ -38,6 +38,7 @@ public class ManagedVpnProfile extends VpnProfile
 	private static final String KEY_REMOTE_REVOCATION_CRL_FLAG = "remote_revocation_crl";
 	private static final String KEY_REMOTE_REVOCATION_OCSP_FLAG = "remote_revocation_ocsp";
 	private static final String KEY_REMOTE_REVOCATION_STRICT_FLAG = "remote_revocation_strict";
+	private static final String KEY_LOCAL_USER_CERTIFICATE_ALIAS = "user_certificate_alias";
 	private static final String KEY_LOCAL_RSA_PSS_FLAG = "local_rsa_pss";
 
 	private static final String KEY_SPLIT_TUNNELLING_BLOCK_IPV4_FLAG = "split_tunnelling_block_ipv4";
@@ -152,6 +153,10 @@ public class ManagedVpnProfile extends VpnProfile
 			userCertificate = new ManagedUserCertificate(uuid.toString(), userCertificateData, userCertificatePassword);
 			setUserCertificateAlias(userCertificate.getAlias());
 		}
+		else
+		{
+			setUserCertificateAlias(getString(local, KEY_LOCAL_USER_CERTIFICATE_ALIAS));
+		}
 
 		flags = addPositiveFlag(flags, local, KEY_LOCAL_RSA_PSS_FLAG, VpnProfile.FLAGS_RSA_PSS);
 		return flags;
diff --git a/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml
index c7d516011b..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
+    Copyright (C) 2025 Tobias Brunner
     Copyright (C) 2023 Relution GmbH
 
     Copyright (C) secunet Security Networks AG
@@ -93,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml b/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml
index 04922033d8..c0bdd7f709 100644
--- a/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml
@@ -94,6 +94,8 @@
     <string name="managed_config_local_p12_description">Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see Android VPN client configuration for details). Not necessary for username/password-based EAP authentication or if the user already has the certificate/key installed as it may be selected while importing the profile</string>
     <string name="managed_config_local_p12_password_title">User certificate password (Optional)</string>
     <string name="managed_config_local_p12_password_description">Password required to extract the private key of the PKCS#12-container for installation</string>
+    <string name="managed_config_local_user_certificate_alias_title">User certificate alias (Optional)</string>
+    <string name="managed_config_local_user_certificate_alias_description">Alias of a user certificate/key already installed on the device. The app must be granted access to it by the MDM. Only used if no certificate is distributed with the config. If a certificate is required and this is not set, the user may select a local certificate manually</string>
     <string name="managed_config_local_rsa_pss_title">@string/profile_rsa_pss_label</string>
     <string name="managed_config_local_rsa_pss_description">@string/profile_rsa_pss_hint</string>
 
diff --git a/src/frontends/android/app/src/main/res/xml/managed_configuration.xml b/src/frontends/android/app/src/main/res/xml/managed_configuration.xml
index 2b2a57479c..471ece0924 100644
--- a/src/frontends/android/app/src/main/res/xml/managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/xml/managed_configuration.xml
@@ -205,6 +205,13 @@
                     android:restrictionType="string"
                     android:title="@string/managed_config_local_p12_password_title" />
 
+                <restriction
+                    android:defaultValue=""
+                    android:description="@string/managed_config_local_user_certificate_alias_description"
+                    android:key="user_certificate_alias"
+                    android:restrictionType="string"
+                    android:title="@string/managed_config_local_user_certificate_alias_title" />
+
                 <restriction
                     android:defaultValue="false"
                     android:description="@string/managed_config_local_rsa_pss_description"
-- 
2.47.3