search

Michsh / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

Using the Android certificate storage doesn't work with hardware-backed cert storage (4.3) #193

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Setup a connection that uses the Android certificate storage to retrieve an 
X.509 certificate
2. Try to connect to the VPN
3. The connection aborts, stating that either access to the certificate is not 
possible or, after reinstalling everything, that no client-side authentication 
method is specified.

The cause for this is likely that since Android 4.3, some devices support a 
hardware certificate storage (see 
https://developer.android.com/reference/android/security/KeyChain.html#isBoundKe
yAlgorithm(java.lang.String) and also 
http://nelenkov.blogspot.de/2012/07/jelly-bean-hardware-backed-credential.html).
 My Nexus 4 uses such a hardware storage, which can be seen in the security 
settings and also by querying the method isBoundKeyAlgorithm.

With a hardware-backed certificate storage, the private key can no longer be 
extracted by the API (which is what I suppose OpenVPN is trying to do), but 
only be used for signing and verification with the corresponding Java APIs. 
This makes it possible to generate a key that can never leave the device, but 
obviously also breaks all applications that do their own crypto and need access 
to the actual private key.

This probably can't be fixed easily, since the OpenVPN binary would have to be 
modified to use Android's Java crypto APIs... You could however query for a 
hardware-backed certificate storage with the method isBoundKeyAlgorithm 
referenced above and give an explanation to users if that's the reason why it 
doesn't work, and suggest using a "raw" PKCS#12 cert, which still works as on 
4.2.

Original issue reported on code.google.com by lukas.ri...@gmail.com on 9 Aug 2013 at 7:30

GoogleCodeExporter commented 9 years ago 
Android does use Hardware keystore since Android 4.1 on Nexus devices. Your 
linked article is from 2012. OpenVPN for Android does support this since 
Android 4.1 came out.

I think your problem may be quite different. Can you post a log?

Original comment by arne@rfc2549.org on 9 Aug 2013 at 8:37

GoogleCodeExporter commented 9 years ago 
Sure:

Modell Nexus 4 (MAKO) google, Android API 18, version 0.5.40, offizielle Version
Generiere OpenVPN Konfiguration…
started Socket Thread
P:Initializing Google Breakpad!
P:Options error: No client-side authentication method is specified.  You must 
use either --cert/--key, --pkcs12, or --auth-user-pass
P:Use --help for more information.
Process exited with exit value 1

The configuration uses an X.509 certificate, though. I've also tried deleting 
the certificate store and reimporting the cert, to no avail.

Original comment by lukas.ri...@gmail.com on 9 Aug 2013 at 10:12

GoogleCodeExporter commented 9 years ago 
Can you send me the generated configuration file? (I think it is better to send 
this via email.) This sounds like a bug when I generate the configuration.

Original comment by arne@rfc2549.org on 9 Aug 2013 at 10:17

GoogleCodeExporter commented 9 years ago 
I think i have the same issue, starting yesterday or so.

Running on Nexus 7 (grouper) google, Android API 18, version 0.5.40, official 
build
Building configuration…
started Socket Thread
Network Status: CONNECTED  to WIFI "SSID"
P:Initializing Google Breakpad!
P:Options error: No client-side authentication method is specified.  You must 
use either --cert/--key, --pkcs12, or --auth-user-pass
P:Use --help for more information.
Process exited with exit value 1

Original comment by bdras...@googlemail.com on 10 Aug 2013 at 10:59

Attachments:

GoogleCodeExporter commented 9 years ago 
I pushed a fix for the bug to the repo. You can test the fix by using the beta 
or downloading it from plai.de/android

Original comment by arne@rfc2549.org on 10 Aug 2013 at 3:47

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision 705d91c01bed.

Original comment by arne@rfc2549.org on 10 Aug 2013 at 3:47