Add client certificate authentication support

Introduces support for client certificate authentication, including importing .p12 certificates, selecting certificates in settings, and using them during onboarding and connectivity checks. Updates onboarding flows, view models, and UI to handle certificate selection and import. Adds new localization strings for client certificate features in multiple languages.

Author: mariusangelmann

HomeAssistant.xcodeproj/project.pbxproj

@@ -478,6 +478,13 @@
 		1A3CC1D75E8EEF7294146BD1 /* ControlFanValueProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8A34A5417D650BBBE9D2D7C0 /* ControlFanValueProvider.swift */; };
 		20226C5AB77E1229852ADDC8 /* Pods_iOS_Extensions_Widgets.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D27653D385E4CEB58E52A350 /* Pods_iOS_Extensions_Widgets.framework */; };
 		237993F7E11DC585E29EDC7C /* Pods-iOS-Extensions-NotificationService-metadata.plist in Resources */ = {isa = PBXBuildFile; fileRef = 592EED7A6C2444872F11C17B /* Pods-iOS-Extensions-NotificationService-metadata.plist */; };
+		292306192F296D8D0063FEEE /* ClientCertificateManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = 292306182F296D8D0063FEEE /* ClientCertificateManager.swift */; };
+		2923061A2F296D8D0063FEEE /* ClientCertificate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 292306172F296D8D0063FEEE /* ClientCertificate.swift */; };
+		2923061B2F296D8D0063FEEE /* ClientCertificateManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = 292306182F296D8D0063FEEE /* ClientCertificateManager.swift */; };
+		2923061C2F296D8D0063FEEE /* ClientCertificate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 292306172F296D8D0063FEEE /* ClientCertificate.swift */; };
+		2923061E2F296EF90063FEEE /* ClientCertificateSettingsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2923061D2F296EF90063FEEE /* ClientCertificateSettingsView.swift */; };
+		29E6AAA52F298B790087DB45 /* ClientCertificateNativeEngine.swift in Sources */ = {isa = PBXBuildFile; fileRef = 29E6AAA42F298B790087DB45 /* ClientCertificateNativeEngine.swift */; };
+		29E6AAA62F298B790087DB45 /* ClientCertificateNativeEngine.swift in Sources */ = {isa = PBXBuildFile; fileRef = 29E6AAA42F298B790087DB45 /* ClientCertificateNativeEngine.swift */; };
 		2F50FC61669812D485E608EC /* Pods-iOS-Extensions-PushProvider-metadata.plist in Resources */ = {isa = PBXBuildFile; fileRef = E3D5CF14402325076CA105EB /* Pods-iOS-Extensions-PushProvider-metadata.plist */; };
 		368048FC64829A4E4B82B631 /* Pods_watchOS_WatchExtension_Watch.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A90DD8FC6E4726B7E7187C59 /* Pods_watchOS_WatchExtension_Watch.framework */; };
 		38A4EBA18ADEEE555AD14F52 /* Pods-iOS-App-metadata.plist in Resources */ = {isa = PBXBuildFile; fileRef = 553A33E097387AA44265DB13 /* Pods-iOS-App-metadata.plist */; };
@@ -2200,6 +2207,10 @@
 		207E35C8F1554A9AD616FFA2 /* Pods-iOS-Extensions-Share-metadata.plist */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.plist.xml; name = "Pods-iOS-Extensions-Share-metadata.plist"; path = "Pods/Pods-iOS-Extensions-Share-metadata.plist"; sourceTree = "<group>"; };
 		213EF66D14F92AF8BF2E9E98 /* Pods_iOS_Shared_iOS.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_iOS_Shared_iOS.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		287FA864ED0E47B2BB71E1C8 /* Pods-iOS-Shared-iOS-Tests-Shared.beta.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-iOS-Shared-iOS-Tests-Shared.beta.xcconfig"; path = "Pods/Target Support Files/Pods-iOS-Shared-iOS-Tests-Shared/Pods-iOS-Shared-iOS-Tests-Shared.beta.xcconfig"; sourceTree = "<group>"; };
+		292306172F296D8D0063FEEE /* ClientCertificate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClientCertificate.swift; sourceTree = "<group>"; };
+		292306182F296D8D0063FEEE /* ClientCertificateManager.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClientCertificateManager.swift; sourceTree = "<group>"; };
+		2923061D2F296EF90063FEEE /* ClientCertificateSettingsView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClientCertificateSettingsView.swift; sourceTree = "<group>"; };
+		29E6AAA42F298B790087DB45 /* ClientCertificateNativeEngine.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClientCertificateNativeEngine.swift; sourceTree = "<group>"; };
 		29FC93E25AB875716E2F35D4 /* Pods_iOS_Extensions_Intents.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_iOS_Extensions_Intents.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		32DB55A889E2163C52C335D2 /* Pods-iOS-Shared-iOS-Tests-Shared.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-iOS-Shared-iOS-Tests-Shared.debug.xcconfig"; path = "Pods/Target Support Files/Pods-iOS-Shared-iOS-Tests-Shared/Pods-iOS-Shared-iOS-Tests-Shared.debug.xcconfig"; sourceTree = "<group>"; };
 		38BD687E2E320F27D6D576B5 /* Pods-iOS-SharedTesting.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-iOS-SharedTesting.release.xcconfig"; path = "Pods/Target Support Files/Pods-iOS-SharedTesting/Pods-iOS-SharedTesting.release.xcconfig"; sourceTree = "<group>"; };
@@ -4031,6 +4042,7 @@
 				42BF8DB32EC4E73700DCB7E7 /* ConnectionSettingsViewModel.swift */,
 				1178C4E424D5CEB200FDEC3E /* ConnectionURLView.swift */,
 				42AAEE892EC4C57F0049E1F3 /* ConnectionURLViewModel.swift */,
+				2923061D2F296EF90063FEEE /* ClientCertificateSettingsView.swift */,
 			);
 			path = Connection;
 			sourceTree = "<group>";
@@ -7047,6 +7059,7 @@
 		D014EEAA212928EC008EA6F5 /* API */ = {
 			isa = PBXGroup;
 			children = (
+				29E6AAA42F298B790087DB45 /* ClientCertificateNativeEngine.swift */,
 				D014EEA82128E192008EA6F5 /* ConnectionInfo.swift */,
 				B66D6B1F2227A2EA009D8B90 /* WatchHelpers.swift */,
 				D0BE440B2104224A00C74314 /* Authentication */,
@@ -7068,6 +7081,8 @@
 				11F20BFB274D5DA900DFB163 /* Server+Fakes.swift */,
 				113A8D48283C7B1700B9DA32 /* PeriodicUpdateManager.swift */,
 				11B6774C28303D35006E9B1A /* SecurityExceptions.swift */,
+				292306172F296D8D0063FEEE /* ClientCertificate.swift */,
+				292306182F296D8D0063FEEE /* ClientCertificateManager.swift */,
 			);
 			path = API;
 			sourceTree = "<group>";
@@ -9296,6 +9311,7 @@
 				426E02992EF98F5F008237D4 /* CameraListRow.swift in Sources */,
 				B6DD5E6A24940F6F003A0154 /* OpenInFirefoxControllerSwift.swift in Sources */,
 				115EF6A72549152F0048597B /* AccountRow.swift in Sources */,
+				2923061E2F296EF90063FEEE /* ClientCertificateSettingsView.swift in Sources */,
 				111858DF24CB83DF00B8CDDC /* Intents.intentdefinition in Sources */,
 				B64BB3A81E9C6551001E8B46 /* WebViewController.swift in Sources */,
 				42FCCFE22B9B1B610057783F /* BarcodeScannerCamera.swift in Sources */,
@@ -9674,6 +9690,7 @@
 				1110836924AFEFA60027A67A /* Promise+WebhookJson.swift in Sources */,
 				4298587F2EB1025E00E33710 /* LocationManager.swift in Sources */,
 				420CFC6A2D3F9C40009A94F3 /* WatchConfigTable.swift in Sources */,
+				29E6AAA62F298B790087DB45 /* ClientCertificateNativeEngine.swift in Sources */,
 				1164D9DF25FB1B9800515E8A /* UIBarButtonItem+Additions.swift in Sources */,
 				11B38EF6275C54A300205C7B /* PickAServerError.swift in Sources */,
 				426D9C752C9C60B000F278AF /* ControlEntityProvider.swift in Sources */,
@@ -9715,6 +9732,8 @@
 				11A3BD2E26192210005237E6 /* LocalPushManager.swift in Sources */,
 				4278C9C22C8F226500A7B5F4 /* GuaranteedMessages.swift in Sources */,
 				4238DCA42DD1F1E300126434 /* AppSessionValues.swift in Sources */,
+				292306192F296D8D0063FEEE /* ClientCertificateManager.swift in Sources */,
+				2923061A2F296D8D0063FEEE /* ClientCertificate.swift in Sources */,
 				11CFD785273662DF0082D557 /* Server.swift in Sources */,
 				116C0C30267EB90F00A992E4 /* UserDefaultsValueSync.swift in Sources */,
 				B67CE8B422200F220034C1D0 /* URL+Extensions.swift in Sources */,
@@ -9993,6 +10012,7 @@
 				42D3E49C2C5BB88F00444BE6 /* WatchBatterySensor.swift in Sources */,
 				11C4629624B19FC700031902 /* URLSessionTask+WebhookPersisted.swift in Sources */,
 				11F2F25E25871D6000F61F7C /* NotificationAttachmentParserCamera.swift in Sources */,
+				29E6AAA52F298B790087DB45 /* ClientCertificateNativeEngine.swift in Sources */,
 				11B63B0A2979A07000D908ED /* AssistIntentHandler.swift in Sources */,
 				42196ACE2DA5A49600BD501E /* Bonjour.swift in Sources */,
 				1133F59C25F1DA5D00AD776F /* CLLocation+Sanitize.swift in Sources */,
@@ -10112,6 +10132,8 @@
 				4206DE5A2E25055E00142E85 /* WebsiteDataStoreHandler.swift in Sources */,
 				11B38EE8275C54A200205C7B /* WidgetActionsIntentHandler.swift in Sources */,
 				B6D3B4ED225B26900082BB4F /* SensorContainer.swift in Sources */,
+				2923061B2F296D8D0063FEEE /* ClientCertificateManager.swift in Sources */,
+				2923061C2F296D8D0063FEEE /* ClientCertificate.swift in Sources */,
 				11B38EEE275C54A200205C7B /* FocusStatusIntentHandler.swift in Sources */,
 				427A7CD92EBDFB1700D17841 /* AppArea.swift in Sources */,
 				11C4628E24B128EF00031902 /* WebhookResponseUnhandled.swift in Sources */,

Sources/App/Onboarding/API/OnboardingAuth.swift

@@ -122,6 +122,9 @@ class OnboardingAuth {
             promise = promise.recover { [self] originalError -> Promise<HomeAssistantAPI> in
                 let authDetails = try OnboardingAuthDetails(baseURL: url)
 
+                // Note: Certificate selection happens during mTLS challenge handling
+                // User must explicitly import and select certificates in settings
+
                 return firstly {
                     performPreSteps(checkPoint: .beforeAuth, authDetails: authDetails, sender: sender)
                 }.then { [self] in
@@ -200,7 +203,8 @@ private extension ConnectionInfo {
             internalHardwareAddresses: nil,
             isLocalPushEnabled: false,
             securityExceptions: authDetails.exceptions,
-            connectionAccessSecurityLevel: .undefined
+            connectionAccessSecurityLevel: .undefined,
+            clientCertificate: authDetails.clientCertificate
         )
 
         // default cloud to on

Sources/App/Onboarding/API/OnboardingAuthDetails.swift

@@ -5,6 +5,7 @@ class OnboardingAuthDetails: Equatable {
     var url: URL
     var scheme: String
     var exceptions: SecurityExceptions = .init()
+    var clientCertificate: ClientCertificate?
 
     init(baseURL: URL) throws {
         guard var components = URLComponents(url: baseURL.sanitized(), resolvingAgainstBaseURL: false) else {
@@ -47,6 +48,6 @@ class OnboardingAuthDetails: Equatable {
     }
 
     static func == (lhs: OnboardingAuthDetails, rhs: OnboardingAuthDetails) -> Bool {
-        lhs.url == rhs.url && lhs.scheme == rhs.scheme && lhs.exceptions == rhs.exceptions
+        lhs.url == rhs.url && lhs.scheme == rhs.scheme && lhs.exceptions == rhs.exceptions && lhs.clientCertificate == rhs.clientCertificate
     }
 }

Sources/App/Onboarding/API/OnboardingAuthLoginViewController.swift

@@ -84,6 +84,14 @@ class OnboardingAuthLoginViewControllerImpl: UIViewController, OnboardingAuthLog
         didReceive challenge: URLAuthenticationChallenge,
         completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
     ) {
+        if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate {
+            if let cert = authDetails.clientCertificate,
+               let credential = ClientCertificateManager.shared.credential(for: cert) {
+                completionHandler(.useCredential, credential)
+                return
+            }
+        }
+
         let result = authDetails.exceptions.evaluate(challenge)
         completionHandler(result.0, result.1)
     }

Sources/App/Onboarding/API/Steps/OnboardingAuthStepConnectivity.swift

@@ -145,7 +145,7 @@ class OnboardingAuthStepConnectivity: NSObject, OnboardingAuthPreStep, URLSessio
         _ session: URLSession,
         task: URLSessionTask,
         didReceive challenge: URLAuthenticationChallenge,
-        completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+        completionHandler: @escaping @Sendable (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
     ) {
         guard let pendingResolver = taskIdentifierToResolver[task.taskIdentifier] else {
             completionHandler(.cancelAuthenticationChallenge, nil)
@@ -164,8 +164,13 @@ class OnboardingAuthStepConnectivity: NSObject, OnboardingAuthPreStep, URLSessio
             pendingResolver.reject(OnboardingAuthError(kind: .basicAuth))
             completionHandler(.cancelAuthenticationChallenge, nil)
         case NSURLAuthenticationMethodClientCertificate:
-            clientCertificateErrorOccurred[task.taskIdentifier] = true
-            completionHandler(.performDefaultHandling, nil)
+            if let cert = authDetails.clientCertificate,
+               let credential = ClientCertificateManager.shared.credential(for: cert) {
+                completionHandler(.useCredential, credential)
+            } else {
+                clientCertificateErrorOccurred[task.taskIdentifier] = true
+                completionHandler(.performDefaultHandling, nil)
+            }
         default:
             pendingResolver
                 .reject(OnboardingAuthError(kind: .authenticationUnsupported(

Sources/App/Onboarding/Steps/Servers/OnboardingServersListView.swift

@@ -1,6 +1,7 @@
 import Combine
 import Shared
 import SwiftUI
+import UniformTypeIdentifiers
 
 struct OnboardingServersListView: View {
     enum Constants {
@@ -17,6 +18,13 @@ struct OnboardingServersListView: View {
 
     @State private var showDocumentation = false
     @State private var showManualInput = false
+    @State private var showCertificateImport = false
+    @State private var certificateImportData: Data?
+    @State private var certificateImportName = ""
+    @State private var certificateImportPassword = ""
+    @State private var certificateImportError: String?
+    @State private var certificateImportSuccessMessage: String?
+    @State private var showCertificatePasswordSheet = false
     @State private var screenLoaded = false
     @State private var autoConnectWorkItem: DispatchWorkItem?
     @State private var autoConnectInstance: DiscoveredHomeAssistant?
@@ -97,6 +105,26 @@ struct OnboardingServersListView: View {
                 viewModel.selectInstance(.init(manualURL: connectURL), presentingController: presentingViewController)
             }
         }
+        .fileImporter(
+            isPresented: $showCertificateImport,
+            allowedContentTypes: [.pkcs12],
+            onCompletion: handleCertificateFileImport
+        )
+        .sheet(isPresented: $showCertificatePasswordSheet) {
+            certificatePasswordSheet
+        }
+        .alert(
+            item: Binding<AlertItem?>(
+                get: {
+                    certificateImportSuccessMessage.map { AlertItem(id: $0, title: $0) }
+                },
+                set: {
+                    certificateImportSuccessMessage = $0?.title
+                }
+            )
+        ) { item in
+            Alert(title: Text(item.title), dismissButton: .default(Text(L10n.okLabel)))
+        }
         .fullScreenCover(isPresented: .init(get: {
             viewModel.showPermissionsFlow && viewModel.onboardingServer != nil
         }, set: { newValue in
@@ -182,7 +210,16 @@ struct OnboardingServersListView: View {
         }
     }
 
+    @ToolbarContentBuilder
     private var toolbarItems: some ToolbarContent {
+        ToolbarItem(placement: .topBarLeading) {
+            Button {
+                showCertificateImport = true
+            } label: {
+                Image(systemSymbol: .lock)
+            }
+            .accessibilityLabel(L10n.Settings.ConnectionSection.ClientCertificate.title)
+        }
         ToolbarItem(placement: .topBarTrailing) {
             if prefillURL != nil {
                 CloseButton {
@@ -389,10 +426,100 @@ struct OnboardingServersListView: View {
             .frame(height: 1)
             .foregroundStyle(Color(uiColor: .secondaryLabel))
     }
+
+    // MARK: - Certificate Import
+
+    private var certificatePasswordSheet: some View {
+        NavigationView {
+            Form {
+                Section {
+                    TextField(
+                        L10n.Settings.ConnectionSection.ClientCertificate.Import.name,
+                        text: $certificateImportName
+                    )
+                    SecureField(
+                        L10n.Settings.ConnectionSection.ClientCertificate.Import.password,
+                        text: $certificateImportPassword
+                    )
+                } footer: {
+                    if let error = certificateImportError {
+                        Text(error)
+                            .foregroundStyle(.red)
+                    }
+                }
+
+                Section {
+                    Button(L10n.Settings.ConnectionSection.ClientCertificate.Import.importButton) {
+                        performCertificateImport()
+                    }
+                    .disabled(certificateImportName.isEmpty)
+                }
+            }
+            .navigationTitle(L10n.Settings.ConnectionSection.ClientCertificate.Import.title)
+            .navigationBarTitleDisplayMode(.inline)
+            .toolbar {
+                ToolbarItem(placement: .cancellationAction) {
+                    Button(L10n.Settings.ConnectionSection.ClientCertificate.Import.cancel) {
+                        resetCertificateImportState()
+                    }
+                }
+            }
+        }
+    }
+
+    private func handleCertificateFileImport(_ result: Result<URL, Error>) {
+        do {
+            let selectedFile = try result.get()
+            guard selectedFile.startAccessingSecurityScopedResource() else {
+                Current.Log.error("Cannot access security scoped resource for certificate")
+                return
+            }
+            defer { selectedFile.stopAccessingSecurityScopedResource() }
+
+            certificateImportData = try Data(contentsOf: selectedFile)
+            certificateImportName = selectedFile.deletingPathExtension().lastPathComponent
+            certificateImportPassword = ""
+            certificateImportError = nil
+            showCertificatePasswordSheet = true
+        } catch {
+            Current.Log.error("Error importing certificate file: \(error)")
+        }
+    }
+
+    private func performCertificateImport() {
+        guard let data = certificateImportData else { return }
+
+        do {
+            try ClientCertificateManager.shared.importP12(
+                data: data,
+                password: certificateImportPassword,
+                name: certificateImportName
+            )
+            resetCertificateImportState()
+            certificateImportSuccessMessage = "Imported \(certificateImportName)"
+        } catch let error as ClientCertificateError {
+            certificateImportError = error.localizedDescription
+        } catch {
+            certificateImportError = error.localizedDescription
+        }
+    }
+
+    private func resetCertificateImportState() {
+        showCertificatePasswordSheet = false
+        certificateImportData = nil
+        certificateImportName = ""
+        certificateImportPassword = ""
+        certificateImportError = nil
+    }
 }
 
 #Preview {
     NavigationView {
         OnboardingServersListView(prefillURL: nil, onboardingStyle: .secondary)
     }
 }
+
+struct AlertItem: Identifiable {
+    var id: String
+    var title: String
+}