Security: Add mTLS client certificate support

[paolostivanin]

Allow users to present a client certificate for mutual TLS authentication (e.g. Cloudflare mTLS). Uses Android KeyChain API so users pick from certificates already installed on device.

Tested on my device (OnePlus 13R) with Android 16. My setup is: Cloudflare (with mTLS) -> NPM -> homelab

I've installed the opencloudApp/build/outputs/apk/qa/debug/OpenCloud_1.2.1-qa-debug.apk on my device and with this is version and the certificate selected I can browse my data, with upstream's version sync and browsing fail (as expected).

I've been using this debug apk for a few days now and I have not faced any issues.

Please note that I am NOT an Android developer, so please review the changes carefully for any mistake I might have made 😃

[guruz]

Thank you for the PR, looks small enough to merge.

However: Did you see @michaelstingl 's proposal here: https://github.com/orgs/opencloud-eu/discussions/819#discussioncomment-13102292

[paolostivanin]

hello!

Yes, I saw that discussion but as opencloud-eu/opencloud#819 (reply in thread) pointed out, this is a different use case compared to the IdP mTLS 😃

[paolostivanin]

hello :) is there any more feedback about this PR? Thanks

[guruz]

@paolostivanin I will have a look for 1.3.0 :)

[paolostivanin]

@paolostivanin I will have a look for 1.3.0 :)

thanks a lot, much appreciated 😄

[GIT-MarkBowman]

Built and sideloaded on my Samsung Galaxy S22 on Android 16; using CF Zero Trust and tunnel --> caddy --> Opencloud with Authentik OIDC. I'll post any issues I have.

[guruz]

@paolostivanin Thank you, what are the changes from before?

[paolostivanin]

@paolostivanin Thank you, what are the changes from before?

Just a rebase against latest master, I saw that there was a merge conflict.

[paolostivanin]

Did a self-review pass and pushed an amended commit (17494d509) addressing several issues I caught:

Bug fix

• Cancelling the certificate picker no longer silently clears the cert and disables mTLS in the underlying store while leaving the checkbox visually "on". Cancel is now a no-op, preserving the existing selection.

Architecture cleanups

• Single source of truth for storage: dropped the custom mtls_prefs file. enable_mtls and the alias both live in the default SharedPreferences (same store CheckBoxPreference writes to), so the two can't drift out of sync.
• SettingsSecurityViewModel no longer takes Context parameters — alias get/set/clear go through the existing SharedPreferencesProvider. Matches the pattern the rest of the security settings already use.
• Added viewModel.invalidateHttpClients() so the Fragment doesn't reach into SingleSessionManager directly.
• Converted ClientCertificateManager from Java to a Kotlin object (project convention for new code).
• HttpClient.getOkHttpClient() and invalidate() are now synchronized — closes the race window introduced by allowing invalidation from another thread.

UX

• Toggling mTLS on with no cert saved now auto-launches the picker. If the user cancels, the checkbox reverts so prefs and UI stay consistent.

Misc

• -1 port magic literal replaced with named KEYCHAIN_NO_PORT constant.
• Removed unused prefs_mtls_cert_removed string.
• Trailing newline on settings_security.xml.

Verified locally with ./gradlew :opencloudComLibrary:compileDebug* :opencloudApp:compileQaDebug* :opencloudApp:testQaDebugUnitTest - all green, existing SettingsSecurityViewModelTest still passes.

Functionality is unchanged from what I described in the PR body; still tested on my own setup (Cloudflare mTLS → NPM → homelab).

[guruz]

Thanks for updating.

Linking iOS UI (functionality not existing yet for the cert part) -> opencloud-eu/ios#59 (comment)