On Wed, Dec 28, 2011 at 9:26 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > On Wed, 2011-12-28 at 20:16 +0000, Vilmos Nebehaj wrote: >> the attached patch makes it possible to use the keystore on Android to retrieve >> certificates and private keys. ?I tested it on Android 2.3. > > Thanks; this looks useful. A couple of questions... > > Rather than being unconditional on Android, should this be new > CERT_TYPE_KEYSTORE supported in *addition* to the normal file-based > types? Good point. I refactored certificate handling in ssl.c, attaching revised patch. > Also, I wonder if we're using the Android keystore correctly. It looks > like you are extracting the private key from the keystore and > *importing* it into OpenSSL. But if it's a TPM or crypto token or > something like that, it shouldn't *allow* that operation. It'll *use* > the key for you, but it won't just *give* it to you. And a well-designed > OS key store shouldn't allow that either. Are you *sure* that's what > you're supposed to do? Pretty sure, the android keystore is basically just a database service for storing key-value pairs used for security purposes (wifi passwords, certificates, etc). Once it has been unlocked with the necessary privileges any stored item can be retrieved. See https://github.com/CyanogenMod/android_frameworks_base/blob/ics/cmds/keystore/keystore_get.h > Also, have you looked at the Android authentication GUI at > https://github.com/srinathduraisamy/OpenConnect ? It would be useful to > make sure that is using the keystore, since in the end we want only that > to be doing the authentication; openconnect itself wouldn't be doing > anything but the final connection. What is this app supposed to do? With our vpn concentrator it just says 'No peer certificate'. I have actually implemented Anyconnect support in android 2.3 as a system feature using the built-in VPN framework & openconnect. See the repositories android_external_openconnect, android_frameworks_base, android_system_core, android_packages_apps_Settings and android_external_openssl at https://github.com/ldx. This openconnect repository contains further commits for further integration. The gingerbread branches from the repos can be used with cyanogenmod7 to build a full ROM with openconnect and the GUI bits in the Settings app. Works great for me with both certificate based and 2-factor password based authentication against a Cisco ASA 55xx. I'll write a few lines about how to build it step by step. I plan to revise this for android 4.0 since it opens up the possibility of application level VPN support. I thought I'd just push the android bits to you first. Hope this makes the plan clearer. :) Vilmos > -- > dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-Android-keystore-support.patch Type: text/x-patch Size: 6752 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20111229/5c2449d2/attachment-0001.bin>
