On Wed, 2011-12-28 at 20:16 +0000, Vilmos Nebehaj wrote: > the attached patch makes it possible to use the keystore on Android to retrieve > certificates and private keys. I tested it on Android 2.3. Thanks; this looks useful. A couple of questions... Rather than being unconditional on Android, should this be new CERT_TYPE_KEYSTORE supported in *addition* to the normal file-based types? Also, I wonder if we're using the Android keystore correctly. It looks like you are extracting the private key from the keystore and *importing* it into OpenSSL. But if it's a TPM or crypto token or something like that, it shouldn't *allow* that operation. It'll *use* the key for you, but it won't just *give* it to you. And a well-designed OS key store shouldn't allow that either. Are you *sure* that's what you're supposed to do? Also, have you looked at the Android authentication GUI at https://github.com/srinathduraisamy/OpenConnect ? It would be useful to make sure that is using the keystore, since in the end we want only that to be doing the authentication; openconnect itself wouldn't be doing anything but the final connection. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5818 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20111228/c3ffb4c6/attachment.bin>
