diff options
| author | cyberta <cyberta@riseup.net> | 2023-07-25 16:30:49 +0000 |
|---|---|---|
| committer | cyberta <cyberta@riseup.net> | 2023-07-25 16:30:49 +0000 |
| commit | a27fc2100f1aa826843c3fd61313d3e5858c23ca (patch) | |
| tree | 0e242fa18e5b68b4b8ae8babdf5ea5e76bae2982 /app/src/main/aidl | |
| parent | b6988c2279542f5a7ed4c993a4ddd1230bf9e25f (diff) | |
| parent | 4d59ff9b49eee136f4260356ac969c1b461a6366 (diff) | |
Merge branch 'audit_fixes' into 'master'
reliability improvements
See merge request leap/bitmask_android!248
Diffstat (limited to 'app/src/main/aidl')
| -rw-r--r-- | app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl b/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl index c6db965b..1f77b15f 100644 --- a/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl +++ b/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl @@ -1,16 +1,16 @@ // ExternalCertificateProvider.aidl package de.blinkt.openvpn.api; - /* * This is very simple interface that is specialised to have only the minimal set of crypto * operation that are needed for OpenVPN to authenticate with an external certificate */ interface ExternalCertificateProvider { /** + * @deprecated use {@link #getSignedDataWithExtra} instead * Requests signing the data with RSA/ECB/PKCS1PADDING * for RSA certficate and with NONEwithECDSA for EC certificates - * @parm alias the parameter that + * @param alias user certificate identifier */ byte[] getSignedData(in String alias, in byte[] data); @@ -36,4 +36,33 @@ interface ExternalCertificateProvider { * */ Bundle getCertificateMetaData(in String alias); + + /** + * Requests signing the data with RSA/ECB/nopadding, RSA/ECB/PKCS1PADDING or PKCS1PSSPADDING + * for RSA certficate and with NONEwithECDSA for EC certificates + * @param alias user certificate identifier + * @param data the data to be signed + * @param extra additional information. + * Should contain the following keys: + * <ul> + * <li>int key "de.blinkt.openvpn.api.RSA_PADDING_TYPE", may be set as: + * <ul> + * <li>0 - for RSA/ECB/nopadding + * <li>1 - for RSA/ECB/PKCS1PADDING + * <li>2 - for PKCS1PSSPADDING + * </ul> + * <li>string key "de.blinkt.openvpn.api.SALTLEN", may be set as: + * <ul> + * <li>"digest" - use the same salt size as the hash to sign + * <li>"max" - use maximum possible saltlen which is '(nbits-1)/8 - hlen - 2'. Here + * 'nbits' is the number of bits in the key modulus and 'hlen' is the size in octets of + * the hash. See: RFC 8017 sec 8.1.1 and 9.1.1. + * </ul> + * <li>boolean key "de.blinkt.openvpn.api.NEEDS_DIGEST", indicating that the data should be + * hashed before signing or not + * <li>string key "de.blinkt.openvpn.api.DIGEST", the short common digest algorithm name to + * use (such as SHA256, SHA224, etc.) + * </ul> + */ + byte[] getSignedDataWithExtra(in String alias, in byte[] data, in Bundle extra); } |