From 33216d22493fa413996a49df2b1ab1def47f9fa0 Mon Sep 17 00:00:00 2001
From: cyBerta <cyberta@riseup.net>
Date: Wed, 19 Jul 2023 10:23:01 +0200
Subject: Update source code for external key managment based on ics-openvpn
 (some relevant commits: 5e7b841c8d5111e6b63e74944903a168939ca723
 a6de5a9e4d8d757414c5e2f94eb806be9216dda3
 9e704d04dc7f2f93bddf85d371772340fa5af0b1
 4466103d770c353cfb8d4ea08093560ba28d58b8
 b9ac2b15eac3e5e5f9dc89c948ec8278e2e7c1f9
 3cb8f44a92471e43589a80067380d7b262c18c20)

---
 .../openvpn/api/ExternalCertificateProvider.aidl   | 33 ++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

(limited to 'app/src/main/aidl/de/blinkt')

diff --git a/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl b/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
index c6db965b..1f77b15f 100644
--- a/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
+++ b/app/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
@@ -1,16 +1,16 @@
 // ExternalCertificateProvider.aidl
 package de.blinkt.openvpn.api;
 
-
 /*
  * This is very simple interface that is specialised to have only the minimal set of crypto
  * operation that are needed for OpenVPN to authenticate with an external certificate
  */
 interface ExternalCertificateProvider {
     /**
+     * @deprecated use {@link #getSignedDataWithExtra} instead
      * Requests signing the data with RSA/ECB/PKCS1PADDING
      * for RSA certficate and with NONEwithECDSA for EC certificates
-     * @parm alias the parameter that
+     * @param alias user certificate identifier
      */
     byte[] getSignedData(in String alias, in byte[] data);
 
@@ -36,4 +36,33 @@ interface ExternalCertificateProvider {
      *
      */
     Bundle getCertificateMetaData(in String alias);
+
+    /**
+     * Requests signing the data with RSA/ECB/nopadding, RSA/ECB/PKCS1PADDING or PKCS1PSSPADDING
+     * for RSA certficate and with NONEwithECDSA for EC certificates
+     * @param alias user certificate identifier
+     * @param data the data to be signed
+     * @param extra additional information.
+     * Should contain the following keys:
+     * <ul>
+       * <li>int key "de.blinkt.openvpn.api.RSA_PADDING_TYPE", may be set as:
+       * <ul>
+         * <li>0 - for RSA/ECB/nopadding
+         * <li>1 - for RSA/ECB/PKCS1PADDING
+         * <li>2 - for PKCS1PSSPADDING
+       * </ul>
+       * <li>string key "de.blinkt.openvpn.api.SALTLEN", may be set as:
+       * <ul>
+         * <li>"digest" - use the same salt size as the hash to sign
+         * <li>"max" - use maximum possible saltlen which is '(nbits-1)/8 - hlen - 2'. Here
+           * 'nbits' is the number of bits in the key modulus and 'hlen' is the size in octets of
+           * the hash. See: RFC 8017 sec 8.1.1 and 9.1.1.
+       * </ul>
+       * <li>boolean key "de.blinkt.openvpn.api.NEEDS_DIGEST", indicating that the data should be
+         * hashed before signing or not
+       * <li>string key "de.blinkt.openvpn.api.DIGEST", the short common digest algorithm name to
+         * use (such as SHA256, SHA224, etc.)
+     * </ul>
+     */
+    byte[] getSignedDataWithExtra(in String alias, in byte[] data, in Bundle extra);
 }
-- 
cgit v1.2.3