[PATCH] Add Android keystore support

David Woodhouse dwmw2 at infradead.org
Wed Dec 28 16:26:40 EST 2011


On Wed, 2011-12-28 at 20:16 +0000, Vilmos Nebehaj wrote:
> the attached patch makes it possible to use the keystore on Android to retrieve
> certificates and private keys.  I tested it on Android 2.3.

Thanks; this looks useful. A couple of questions...

Rather than being unconditional on Android, should this be new
CERT_TYPE_KEYSTORE supported in *addition* to the normal file-based
types?

Also, I wonder if we're using the Android keystore correctly. It looks
like you are extracting the private key from the keystore and
*importing* it into OpenSSL. But if it's a TPM or crypto token or
something like that, it shouldn't *allow* that operation. It'll *use*
the key for you, but it won't just *give* it to you. And a well-designed
OS key store shouldn't allow that either. Are you *sure* that's what
you're supposed to do?

Also, have you looked at the Android authentication GUI at
https://github.com/srinathduraisamy/OpenConnect ? It would be useful to
make sure that is using the keystore, since in the end we want only that
to be doing the authentication; openconnect itself wouldn't be doing
anything but the final connection.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20111228/c3ffb4c6/attachment.bin>


More information about the openconnect-devel mailing list