[PATCH] Add Android keystore support

Vilmos Nebehaj v.nebehaj at gmail.com
Wed Dec 28 20:22:57 EST 2011


On Wed, Dec 28, 2011 at 9:26 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Wed, 2011-12-28 at 20:16 +0000, Vilmos Nebehaj wrote:
>> the attached patch makes it possible to use the keystore on Android to retrieve
>> certificates and private keys.  I tested it on Android 2.3.
>
> Thanks; this looks useful. A couple of questions...
>
> Rather than being unconditional on Android, should this be new
> CERT_TYPE_KEYSTORE supported in *addition* to the normal file-based
> types?

Good point.  I refactored certificate handling in ssl.c, attaching
revised patch.

> Also, I wonder if we're using the Android keystore correctly. It looks
> like you are extracting the private key from the keystore and
> *importing* it into OpenSSL. But if it's a TPM or crypto token or
> something like that, it shouldn't *allow* that operation. It'll *use*
> the key for you, but it won't just *give* it to you. And a well-designed
> OS key store shouldn't allow that either. Are you *sure* that's what
> you're supposed to do?

Pretty sure, the android keystore is basically just a database service
for storing
key-value pairs used for security purposes (wifi passwords, certificates, etc).
Once it has been unlocked with the necessary privileges any stored item can
be retrieved.  See
https://github.com/CyanogenMod/android_frameworks_base/blob/ics/cmds/keystore/keystore_get.h

> Also, have you looked at the Android authentication GUI at
> https://github.com/srinathduraisamy/OpenConnect ? It would be useful to
> make sure that is using the keystore, since in the end we want only that
> to be doing the authentication; openconnect itself wouldn't be doing
> anything but the final connection.

What is this app supposed to do?  With our vpn concentrator it just says
'No peer certificate'.

I have actually implemented Anyconnect support in android 2.3 as a
system feature using the built-in VPN framework & openconnect.  See the
repositories  android_external_openconnect, android_frameworks_base,
android_system_core, android_packages_apps_Settings and
android_external_openssl at https://github.com/ldx.  This openconnect
repository contains further commits for further integration.  The gingerbread
branches from the repos can be used with cyanogenmod7 to build a full
ROM with openconnect and the GUI bits in the Settings app.  Works
great for me with both certificate based and 2-factor password based
authentication against a Cisco ASA 55xx.  I'll write a few lines about
how to build it step by step.

I plan to revise this for android 4.0 since it opens up the possibility of
application level VPN support.  I thought I'd just push the android bits
to you first.

Hope this makes the plan clearer. :)

Vilmos


> --
> dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-Android-keystore-support.patch
Type: text/x-patch
Size: 6752 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20111229/5c2449d2/attachment-0001.bin>


More information about the openconnect-devel mailing list