[PATCH] Add Android keystore support

David Woodhouse dwmw2 at infradead.org
Thu Dec 29 05:59:11 EST 2011 

On Thu, 2011-12-29 at 01:22 +0000, Vilmos Nebehaj wrote:
> On Wed, Dec 28, 2011 at 9:26 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> > On Wed, 2011-12-28 at 20:16 +0000, Vilmos Nebehaj wrote:
> >> the attached patch makes it possible to use the keystore on Android to retrieve
> >> certificates and private keys.  I tested it on Android 2.3.
> >
> > Thanks; this looks useful. A couple of questions...
> >
> > Rather than being unconditional on Android, should this be new
> > CERT_TYPE_KEYSTORE supported in *addition* to the normal file-based
> > types?
> 
> Good point.  I refactored certificate handling in ssl.c, attaching
> revised patch.

That looks better. My only remaining gripe is that you expose the
'keystore' key type even when it's not available. That should be in
#ifdef ANDROID too, shouldn't it?

We should also possibly update the man page?

> > Also, I wonder if we're using the Android keystore correctly. It looks
> > like you are extracting the private key from the keystore and
> > *importing* it into OpenSSL. But if it's a TPM or crypto token or
> > something like that, it shouldn't *allow* that operation. It'll *use*
> > the key for you, but it won't just *give* it to you. And a well-designed
> > OS key store shouldn't allow that either. Are you *sure* that's what
> > you're supposed to do?
> 
> Pretty sure, the android keystore is basically just a database service
> for storing key-value pairs used for security purposes (wifi passwords
>  certificates, etc).

Hm, that sounds like a bloody stupid design for a key store that can
store SSL keys. Either that, or storing SSL keys in it is
inappropriate. 

> > Also, have you looked at the Android authentication GUI at
> > https://github.com/srinathduraisamy/OpenConnect ? 
> 
> What is this app supposed to do?  With our vpn concentrator it just says
> 'No peer certificate'.

It handles the authentication. It's more than just certificate and
username/password — the server can give you any number of arbitrary web
forms with text entry boxes and option choices (see
https://ucbvpn.berkeley.edu/ for an example of the latter).

So the idea is that the GUI tool would interact with the user until
authentication is successful and it's rewarded with the HTTP cookie that
allows the VPN connection to be established. Then that cookie is passed
off to openconnect to make the connection. Along with the final IP
address of the server (after any HTTP redirections you encountered along
the way) and a hash of its SSL certificate fingerprint.

> I have actually implemented Anyconnect support in android 2.3 as a
> system feature using the built-in VPN framework & openconnect.  See the
> repositories  android_external_openconnect, android_frameworks_base,
> android_system_core, android_packages_apps_Settings and
> android_external_openssl at https://github.com/ldx. 

Nice... although didn't Jason Cooper already do a bunch of this for
integration into Cyanogenmod? See http://git.infradead.org/?s=jcooper

It would certainly be good to get this all merged into CM.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20111229/4eabb990/attachment.bin>

More information about the openconnect-devel mailing list