Create custom openvpn for android client to generate private key in TEE












0















I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



Is this scenario possible? Anyone has any idea about implementing this feature?










share|improve this question



























    0















    I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



    I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



    Is this scenario possible? Anyone has any idea about implementing this feature?










    share|improve this question

























      0












      0








      0








      I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



      I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



      Is this scenario possible? Anyone has any idea about implementing this feature?










      share|improve this question














      I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



      I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



      Is this scenario possible? Anyone has any idea about implementing this feature?







      android openvpn ics-openvpn trusted-execution-environment






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 21 '18 at 10:42









      ofskyMohsenofskyMohsen

      1831113




      1831113
























          1 Answer
          1






          active

          oldest

          votes


















          1















          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






          share|improve this answer
























          • Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

            – ofskyMohsen
            Nov 27 '18 at 9:19











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410325%2fcreate-custom-openvpn-for-android-client-to-generate-private-key-in-tee%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1















          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






          share|improve this answer
























          • Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

            – ofskyMohsen
            Nov 27 '18 at 9:19
















          1















          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






          share|improve this answer
























          • Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

            – ofskyMohsen
            Nov 27 '18 at 9:19














          1












          1








          1








          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






          share|improve this answer














          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 23 '18 at 18:10









          StoogyStoogy

          545522




          545522













          • Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

            – ofskyMohsen
            Nov 27 '18 at 9:19



















          • Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

            – ofskyMohsen
            Nov 27 '18 at 9:19

















          Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

          – ofskyMohsen
          Nov 27 '18 at 9:19





          Nexus mobiles have trusty TEE OS. Android API for TEE is Keystore. Can you provide me some code example for implementing this feature in java code in an android application?

          – ofskyMohsen
          Nov 27 '18 at 9:19


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410325%2fcreate-custom-openvpn-for-android-client-to-generate-private-key-in-tee%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Berounka

          Sphinx de Gizeh

          Different font size/position of beamer's navigation symbols template's content depending on regular/plain...