Create custom openvpn for android client to generate private key in TEE











up vote
0
down vote

favorite












I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



Is this scenario possible? Anyone has any idea about implementing this feature?










share|improve this question


























    up vote
    0
    down vote

    favorite












    I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



    I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



    Is this scenario possible? Anyone has any idea about implementing this feature?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



      I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



      Is this scenario possible? Anyone has any idea about implementing this feature?










      share|improve this question













      I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.



      I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.



      Is this scenario possible? Anyone has any idea about implementing this feature?







      android openvpn ics-openvpn trusted-execution-environment






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 days ago









      ofskyMohsen

      1781113




      1781113
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote














          I mean changing code of openvpn for android client to generate key
          pair in TEE (trusted execution environment) of mobile




          This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




          and then creating CSR (Certificate Signing Request)




          Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



          Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




          and then sending CSR file to Openvpn server and server signs CSR file
          and create CRT (Certificate file) and send back to client. Client
          stores CRT file in TEE and communicate to OpenVpn server using Private
          key/Certificate in next times.




          Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



          This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410325%2fcreate-custom-openvpn-for-android-client-to-generate-private-key-in-tee%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote














            I mean changing code of openvpn for android client to generate key
            pair in TEE (trusted execution environment) of mobile




            This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




            and then creating CSR (Certificate Signing Request)




            Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



            Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




            and then sending CSR file to Openvpn server and server signs CSR file
            and create CRT (Certificate file) and send back to client. Client
            stores CRT file in TEE and communicate to OpenVpn server using Private
            key/Certificate in next times.




            Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



            This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






            share|improve this answer

























              up vote
              0
              down vote














              I mean changing code of openvpn for android client to generate key
              pair in TEE (trusted execution environment) of mobile




              This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




              and then creating CSR (Certificate Signing Request)




              Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



              Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




              and then sending CSR file to Openvpn server and server signs CSR file
              and create CRT (Certificate file) and send back to client. Client
              stores CRT file in TEE and communicate to OpenVpn server using Private
              key/Certificate in next times.




              Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



              This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote










                I mean changing code of openvpn for android client to generate key
                pair in TEE (trusted execution environment) of mobile




                This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




                and then creating CSR (Certificate Signing Request)




                Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



                Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




                and then sending CSR file to Openvpn server and server signs CSR file
                and create CRT (Certificate file) and send back to client. Client
                stores CRT file in TEE and communicate to OpenVpn server using Private
                key/Certificate in next times.




                Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



                This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.






                share|improve this answer













                I mean changing code of openvpn for android client to generate key
                pair in TEE (trusted execution environment) of mobile




                This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.




                and then creating CSR (Certificate Signing Request)




                Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.



                Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.




                and then sending CSR file to Openvpn server and server signs CSR file
                and create CRT (Certificate file) and send back to client. Client
                stores CRT file in TEE and communicate to OpenVpn server using Private
                key/Certificate in next times.




                Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.



                This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 13 hours ago









                Stoogy

                477318




                477318






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410325%2fcreate-custom-openvpn-for-android-client-to-generate-private-key-in-tee%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                    Calculate evaluation metrics using cross_val_predict sklearn

                    Insert data from modal to MySQL (multiple modal on website)