[Privacy and Security] Add trusted Root CA option

[worph]

Is your feature request related to a problem? Please describe.
We would like a feature to add trusted Root CA in Wolvic.

Describe the solution you'd like
A menu in the settings where we can browse for a CRT file on the headset to be added to the root trusted certificate.
Something like the Privacy and Security panel in firefox. https://javorszky.co.uk/2019/11/06/get-firefox-to-trust-your-self-signed-certificates/#solve-the-self-signed-cert-thing

Describe alternatives you've considered
Rebuilding Wolvic ourself to add an exception to some domain.

Additional context
The aim is to have Wolvic work in corporate settings on an internal network.

[Arkrixe]

Needed !

[svillar]

Here we're limited by what the GeckoView interface allows us to do. There is no current API in GeckoView to import individual root certificates.

However there is an open bug even with a proposed patch to add that API. We could consider adding that to the Gecko fork we're using for Wolvic.

But there is even another alternative which does not involve patching Gecko, and it's the preferred one from our POV if that works for you. As explained here we can instruct Gecko (with no API changes) to use the root certs from Android storage. If that works for you it's just a matter of enabling a configuration setting inside Wolvic and would be included in future releases.

[worph]

Yes I think the best way to do this would be to use the certificate from the system unfortunately there is no way (to my knowledge) to add trusted certificate in the Quest 2 OS (which we would like to use).

Using the Gecko fork from bugzilla would solve this issue for our usecase on quest 2. That would be great.

[felipeerias]

@worph I am having a look at the Gecko patch and my understanding is that it only supports adding a single root certificate. Would that be enough to cover your use case?

Can you foresee other scenarios where somebody might need to add more than one certificate?

[worph]

For our usecase it would be enough since we only have to add the certificate for the internal corporate network and we only have one.

"Can you foresee other scenarios where somebody might need to add more than one certificate?" => I do not think so.

[jox]

Same here. Being able to add a custom certificate would be fantastic. Just one would be sufficient for us as well.

[jkumara]

This would be fantastic, being able to add even just one certificate would go a long way.

[HollowMan6]

Unfortunately, looks like the issue at Mozilla Bugzilla closed as won't fix, and the patch proposed there didn't get merged https://phabricator.services.mozilla.com/D153882

So let's use the alternative API as explained here to get this issue resolved, which is to instruct Gecko to use the root certs from Android. Although there might be no way to add a trusted certificate in the Meta Quest 2 OS.

[HollowMan6]

Investigated the Meta Quest 2 system for installing certificates. Looks like we are not able to install the certificate into the system at all. I tried to use the method here https://stackoverflow.com/a/75096266 but it keeps telling me it can't read the certificate although I believe I have inputted the correct path. Then I finally found the option to install the certificate while connecting to Eduroam, and I installed the certificate with the correct type (VPN and app user certificate), but still, I can't visit the websites using that certificate, so I think Meta Quest 2 may have disabled the user trusted Root certificate from working.