[PM-23409] feat: Add client certificate authentication (mTLS) support for self-hosted environments

[jalenfran]

🎟️ Tracking

• GitHub Discussion: Add mTLS Support Discussion
• Feature Request: Implementing mTLS in the Bitwarden apps

📔 Objective

This PR implements client certificate authentication (mTLS) support for iOS app when connecting to self-hosted Bitwarden environments that require client certificates.

Key Features:

• PKCS#12 (.p12/.pfx) certificate import with password support
• Secure certificate storage independent of user login
• mTLS HTTP client integration for server authentication
• Certificate management UI integrated into self-hosted server configuration
• Comprehensive error handling and user feedback

Technical Implementation:

• ClientCertificateConfiguration model for certificate data and metadata
• ClientCertificateService for secure certificate management operations
• CertificateHTTPClient with URLSession delegate for mTLS authentication
• Global certificate storage using existing app settings infrastructure
• SwiftUI interface for certificate import, display, and removal

This enables users to authenticate with self-hosted Bitwarden servers that require client certificates for enhanced security.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags) - N/A: Feature is opt-in via certificate import
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements - N/A: No deployment changes needed
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

Key Areas for Review:

• 🔐 Security implementation of certificate storage and mTLS authentication
• 🎨 UI/UX integration with existing self-hosted configuration flow
• 📝 Error handling for various certificate import scenarios
• ⚡ Performance impact of certificate validation and HTTP client changes
• 🧪 Test coverage for certificate management workflows

Files to Focus On:

• ClientCertificateService.swift - Core certificate management logic
• CertificateHTTPClient.swift - mTLS HTTP client implementation
• SelfHostedView.swift - UI integration and user experience
• StateService.swift & AppSettingsStore.swift - Secure storage implementation

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[CLAassistant]

All committers have signed the CLA.

[bitwarden-bot]

Thank you for your contribution! We've added this to our internal Community PR board for review.
ID: PM-23409
Link: https://bitwarden.atlassian.net/browse/PM-23409

Details on our contribution process can be found here: https://contributing.bitwarden.com/contributing/pull-requests/community-pr-process.

[KeenMaron]

Any updates on this implementation?

[jalenfran]

Any updates on this implementation?

Just waiting on any comments

[maxkpower]

Hey @jalenfran, thanks a lot for your PR! Please excuse the long silence, an automation issue unfortunately kept this ticket off our review board. We do want to support mTLS and will be reviewing the PR shortly.

[xXxNIKIxXx]

@maxkpower do you have any Updates on this. I would love to fully entroll Bitwarden but without mTLS it is to insecure. Is there and ETA or new Status?