Implement certificate authentication via external provider

author: Arne Schwabe <arne@rfc2549.org> 2018-08-06 18:19:41 +0200
committer: Arne Schwabe <arne@rfc2549.org> 2018-08-06 18:19:41 +0200
commit: b9ac2b15eac3e5e5f9dc89c948ec8278e2e7c1f9 (patch)
tree: 63f371b4ae6555b15f76c5a13ed2e26c192895dc /tlsexternalcertprovider
parent: 7b7940186fafcdf4bb15ea8e087b8cf345cd53c8 (diff)
8 files changed, 208 insertions, 138 deletions
diff --git a/tlsexternalcertprovider/build.gradle b/tlsexternalcertprovider/build.gradle
index 945bfef5..cbc48ce1 100644
--- a/tlsexternalcertprovider/build.gradle
+++ b/tlsexternalcertprovider/build.gradle
@@ -44,11 +44,12 @@ android {
 dependencies {
     implementation fileTree(dir: 'libs', include: ['*.jar'])
     implementation (
-    'org.bouncycastle:bcprov-jdk15on:'  + bouncycastleVersion,
-    'org.bouncycastle:bcprov-ext-jdk15on:' + bouncycastleVersion,
-    'org.bouncycastle:bcpkix-jdk15on:' + bouncycastleVersion,
+    //'org.bouncycastle:bcprov-jdk15on:'  + bouncycastleVersion,
+    //'org.bouncycastle:bcprov-ext-jdk15on:' + bouncycastleVersion,
+    //'org.bouncycastle:bcpkix-jdk15on:' + bouncycastleVersion,
     'org.bouncycastle:bcmail-jdk15on:' + bouncycastleVersion,
-    'org.bouncycastle:bcpg-jdk15on:' + bouncycastleVersion
+    //'org.bouncycastle:bcpg-jdk15on:' + bouncycastleVersion
     )
 
+    testImplementation 'junit:junit:4.12'
 }
diff --git a/tlsexternalcertprovider/src/main/AndroidManifest.xml b/tlsexternalcertprovider/src/main/AndroidManifest.xml
index 3ca07874..44af9254 100644
--- a/tlsexternalcertprovider/src/main/AndroidManifest.xml
+++ b/tlsexternalcertprovider/src/main/AndroidManifest.xml
@@ -14,7 +14,7 @@
             android:label="@string/app_name"
             android:roundIcon="@mipmap/ic_launcher_round"
             android:supportsRtl="true"
-            >
+    >
 
         <!--
              OpenVPN for android will search for all application that have a activity that fulfils this
@@ -24,9 +24,11 @@
              the already selected alias will be provided in the extra android.security.extra.KEY_ALIAS
              if applicable
         -->
-        <activity android:name=".SelectCertificateActivity">
+        <activity android:name=".SelectCertificateActivity"
+                  android:exported="true">
             <intent-filter>
-                <category android:name="de.blinkt.openvpn.CertProviderSelect"/>
+                <action android:name="de.blinkt.openvpn.api.ExternalCertificateConfiguration"/>
+                <category android:name="android.intent.category.DEFAULT" />
             </intent-filter>
         </activity>
 
@@ -35,7 +37,7 @@
                 android:name=".ExternalCertService"
                 tools:ignore="ExportedService">
             <intent-filter>
-                <action android:name="de.blinkt.openvpn.api.ExternalCertificateProvider" />
+                <action android:name="de.blinkt.openvpn.api.ExternalCertificateProvider"/>
             </intent-filter>
         </service>
     </application>
diff --git a/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl b/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
index d1e1a4bf..c6db965b 100644
--- a/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
+++ b/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
@@ -12,17 +12,28 @@ interface ExternalCertificateProvider {
      * for RSA certficate and with NONEwithECDSA for EC certificates
      * @parm alias the parameter that
      */
-    byte[] getSignedData(String alias, in byte[] data);
+    byte[] getSignedData(in String alias, in byte[] data);
 
     /**
-     * Requests a
+     * Requests the certificate chain for the selected alias
+     * The first certifcate returned is assumed to be
+     * the user certificate
      */
-    String[] getCertificateChain(in String alias);
+    byte[] getCertificateChain(in String alias);
 
     /**
-     * request an Intent that should be started when user uses the select certificate box
-     * the already selected alias will be provided in the extra android.security.extra.KEY_ALIAS
-     * if applicable
+     * This function is called for the app to get additional meta information from the
+     * external provider and will be called with the stored alias in the app
+     *
+     * For external app provider that do not provide an activity to configure them, this
+     * is used to get the alias that should be used.
+     * The format is the same as the activity should return, i.e.
+     *
+     * EXTRA_ALIAS = "de.blinkt.openvpn.api.KEY_ALIAS"
+     * EXTRA_DESCRIPTION = "de.blinkt.openvpn.api.KEY_DESCRIPTION"
+     *
+     * as the keys for the bundle.
+     *
      */
-
+    Bundle getCertificateMetaData(in String alias);
 }
diff --git a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
index 5948a2b2..caf382dd 100644
--- a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
+++ b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
@@ -7,8 +7,10 @@ package de.blinkt.externalcertprovider;
 
 import android.app.Service;
 import android.content.Intent;
+import android.os.Bundle;
 import android.os.IBinder;
 import android.os.RemoteException;
+import android.text.TextUtils;
 import de.blinkt.openvpn.api.ExternalCertificateProvider;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
@@ -26,6 +28,9 @@ import java.security.PrivateKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 
+import static de.blinkt.externalcertprovider.SelectCertificateActivity.EXTRA_ALIAS;
+import static de.blinkt.externalcertprovider.SelectCertificateActivity.EXTRA_DESCRIPTION;
+
 /**
  * This is a VERY basic implementation.
  * It does not even check if the service is even allowed to use the API
@@ -33,128 +38,14 @@ import java.security.spec.PKCS8EncodedKeySpec;
  */
 public class ExternalCertService extends Service {
 
-    String pemkey = "-----BEGIN PRIVATE KEY-----\n" +
-            "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW\n" +
-            "KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw\n" +
-            "SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd\n" +
-            "VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR\n" +
-            "WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY\n" +
-            "HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83\n" +
-            "DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT\n" +
-            "i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB\n" +
-            "TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X\n" +
-            "9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE\n" +
-            "/1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0\n" +
-            "6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY\n" +
-            "kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm\n" +
-            "VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17\n" +
-            "klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ\n" +
-            "wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR\n" +
-            "we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y\n" +
-            "QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP\n" +
-            "gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz\n" +
-            "4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI\n" +
-            "f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW\n" +
-            "HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy\n" +
-            "s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau\n" +
-            "qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy\n" +
-            "0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM\n" +
-            "2MMweASzTmZcri4PA/5C0HYb\n" +
-            "-----END PRIVATE KEY-----\n";
-
-    String[] certchain = new String[]{"-----BEGIN CERTIFICATE-----\n" +
-            "MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL\n" +
-            "MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t\n" +
-            "VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy\n" +
-            "MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT\n" +
-            "Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50\n" +
-            "MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3\n" +
-            "DQEBAQUAA4IBDwAwggEKAoIBAQDsZY/pEsIaW+ZWKgipgjotRHijADuwn+cnEECT\n" +
-            "7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLwSNr8FY3Exm0LmfErgwAK0yoj\n" +
-            "C+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwdVyBxF4/3KJ4+B87s1Q5CTx50\n" +
-            "R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rRWNNE/loEAf8Gepf3/eNXSOHw\n" +
-            "30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhYHJMiC3X6qNbgtS8tudT+uU+G\n" +
-            "4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83DG9b/WHxAgMBAAGjgcgwgcUw\n" +
-            "CQYDVR0TBAIwADAdBgNVHQ4EFgQU0rQ2D7H83aXqKvfHI4n64/p6RB0wgZgGA1Ud\n" +
-            "IwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktH\n" +
-            "MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ\n" +
-            "Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76\n" +
-            "kPKugTANBgkqhkiG9w0BAQsFAAOCAgEAf+D+hKfs32KlzTzB5kKxMRLwudqnnj+9\n" +
-            "llK2/FV0ZD7k/36q9z4GGF9zhfjI4GcbTZfKBdA3BzNkm+Z4dxSaVbsqrMN/yRUI\n" +
-            "g1zIwmHTcUwFCyvLo4dtoDLtsLMnl0pVjQEqMFZoq/LaXBBzyaoKnEtMoFtRbgp+\n" +
-            "bFOAsADhHppMCjeeIIm8xeV5WLdF/9PEof3ZeD1FFnTfgkQdHYFQWrkyTOJPPw46\n" +
-            "ZVpkgzspMcSZiLzFhDnyGRLhZtDq+3Wx0ie+kVmjKwnVXL9GjtZn1gvs2qvwgBmH\n" +
-            "ZAepd7FeDOLFHWqsXSPzMHU2TsrDTrBNjCzOUmFj3tX17+8KayMlJjw68sPCFhk/\n" +
-            "qTK6aPnJEjw+xh//m070kLBj9dEzADBa6CT6NUSbaoDzpsx7PHNfUMQwcdh0kCcK\n" +
-            "AU6lXrH42sJhgRGuKaOP+n5MTmKxAN6S449qLtrZOF1rfA3kAarIxm2LzcDIbuRX\n" +
-            "IYr2RjDZrVGhh5amU8kexrvD61X+jNZc1cbzyrBg0tQqH4iU00wa2gyU/sFdDSrb\n" +
-            "mSld9t0WxMhNdJ6A2dCq7XvjMORH2PUVwXG4xv3u/J6yX7W3ku3/yjf2x4K0VBOb\n" +
-            "g82Hi35k9i5UOiKxxcH0pSVTmk2oD+c1S4nfGYNmZNnb0WErJBsdRET7STCHt0kj\n" +
-            "CAKK4CXz9EM=\n" +
-            "-----END CERTIFICATE-----\n"
-            ,
-            "-----BEGIN CERTIFICATE-----\n" +
-                    "MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV\n" +
-                    "BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM\n" +
-                    "T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w\n" +
-                    "HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL\n" +
-                    "MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t\n" +
-                    "VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq\n" +
-                    "hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88\n" +
-                    "8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb\n" +
-                    "GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF\n" +
-                    "qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5\n" +
-                    "CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG\n" +
-                    "KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy\n" +
-                    "n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS\n" +
-                    "rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF\n" +
-                    "YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV\n" +
-                    "HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow\n" +
-                    "4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y\n" +
-                    "YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO\n" +
-                    "BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ\n" +
-                    "BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE\n" +
-                    "ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h\n" +
-                    "aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG\n" +
-                    "9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj\n" +
-                    "Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth\n" +
-                    "rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I\n" +
-                    "AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P\n" +
-                    "ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J\n" +
-                    "kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR\n" +
-                    "9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu\n" +
-                    "5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+\n" +
-                    "65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV\n" +
-                    "y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa\n" +
-                    "hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=\n" +
-                    "-----END CERTIFICATE-----\n"};
     private final ExternalCertificateProvider.Stub mBinder = new ExternalCertificateProvider.Stub() {
 
         @Override
         public byte[] getSignedData(String alias, byte[] data) throws RemoteException {
             try {
-
-                // This is more or less code that has been just modified long enough that it works
-                // Don't take it as good example how to get a Privatekey
-                StringReader keyreader = new StringReader(certchain + pemkey);
-                PEMParser pemparser = new PEMParser(keyreader);
-
-                PEMKeyPair bcKeyPair = (PEMKeyPair) pemparser.readObject();
-
-                PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bcKeyPair.getPrivateKeyInfo().getEncoded());
-                KeyFactory kf = KeyFactory.getInstance("RSA");
-                PrivateKey key = kf.generatePrivate(keySpec);
-
-                // The actual signing
-
-                Cipher signer;
-                signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+                return SimpleSigner.signData(data);
 
 
-                signer.init(Cipher.ENCRYPT_MODE, key);
-
-                byte[] signed_bytes = signer.doFinal(data);
-                return signed_bytes;
             } catch (IOException e) {
                 e.printStackTrace();
             } catch (NoSuchPaddingException e) {
@@ -176,12 +67,22 @@ public class ExternalCertService extends Service {
         }
 
         @Override
-        public String[] getCertificateChain(String alias) throws RemoteException {
+        public byte[] getCertificateChain(String alias) throws RemoteException {
+
+            return TextUtils.join("\n", SimpleSigner.certchain).getBytes();
+        }
 
-            return certchain;
+        @Override
+        public Bundle getCertificateMetaData(String alias){
+            Bundle b = new Bundle();
+            b.putString(EXTRA_ALIAS, "mynicecert");
+            b.putString(EXTRA_DESCRIPTION, "Super secret example key!");
+            return b;
         }
     };
 
+
+
     @Override
     public void onCreate() {
         super.onCreate();
diff --git a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SelectCertificateActivity.java b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SelectCertificateActivity.java
index 8d465aa4..3b59b7ac 100644
--- a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SelectCertificateActivity.java
+++ b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SelectCertificateActivity.java
@@ -11,6 +11,9 @@ import android.security.KeyChain;
 import android.os.Bundle;
 
 public class SelectCertificateActivity extends Activity {
+    public static final String EXTRA_ALIAS = "de.blinkt.openvpn.api.KEY_ALIAS";
+    public static final String EXTRA_DESCRIPTION = "de.blinkt.openvpn.api.KEY_DESCRIPTION";
+
 
     @Override
     protected void onCreate(Bundle savedInstanceState) {
@@ -19,8 +22,10 @@ public class SelectCertificateActivity extends Activity {
         findViewById(R.id.nicecert).setOnClickListener((v) ->
         {
             Intent intent = new Intent();
-            intent.putExtra(KeyChain.EXTRA_KEY_ALIAS, "mynicecert");
-            setResult(RESULT_OK);
+            intent.putExtra(EXTRA_ALIAS, "mynicecert");
+            intent.putExtra(EXTRA_DESCRIPTION, "Super secret example key!");
+            setResult(RESULT_OK, intent);
+            finish();
         });
     }
 }
diff --git a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java
new file mode 100644
index 00000000..7d2f6786
--- /dev/null
+++ b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2012-2018 Arne Schwabe
+ * Distributed under the GNU GPL v2 with additional terms. For full terms see the file doc/LICENSE.txt
+ */
+
+package de.blinkt.externalcertprovider;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import java.io.IOException;
+import java.io.StringReader;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+
+public class SimpleSigner {
+    final static String pemkey = "-----BEGIN PRIVATE KEY-----\n" +
+            "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW\n" +
+            "KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw\n" +
+            "SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd\n" +
+            "VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR\n" +
+            "WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY\n" +
+            "HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83\n" +
+            "DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT\n" +
+            "i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB\n" +
+            "TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X\n" +
+            "9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE\n" +
+            "/1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0\n" +
+            "6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY\n" +
+            "kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm\n" +
+            "VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17\n" +
+            "klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ\n" +
+            "wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR\n" +
+            "we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y\n" +
+            "QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP\n" +
+            "gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz\n" +
+            "4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI\n" +
+            "f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW\n" +
+            "HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy\n" +
+            "s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau\n" +
+            "qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy\n" +
+            "0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM\n" +
+            "2MMweASzTmZcri4PA/5C0HYb\n" +
+            "-----END PRIVATE KEY-----\n";
+    final static String[] certchain = new String[]{"-----BEGIN CERTIFICATE-----\n" +
+            "MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL\n" +
+            "MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t\n" +
+            "VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy\n" +
+            "MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT\n" +
+            "Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50\n" +
+            "MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3\n" +
+            "DQEBAQUAA4IBDwAwggEKAoIBAQDsZY/pEsIaW+ZWKgipgjotRHijADuwn+cnEECT\n" +
+            "7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLwSNr8FY3Exm0LmfErgwAK0yoj\n" +
+            "C+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwdVyBxF4/3KJ4+B87s1Q5CTx50\n" +
+            "R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rRWNNE/loEAf8Gepf3/eNXSOHw\n" +
+            "30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhYHJMiC3X6qNbgtS8tudT+uU+G\n" +
+            "4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83DG9b/WHxAgMBAAGjgcgwgcUw\n" +
+            "CQYDVR0TBAIwADAdBgNVHQ4EFgQU0rQ2D7H83aXqKvfHI4n64/p6RB0wgZgGA1Ud\n" +
+            "IwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktH\n" +
+            "MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ\n" +
+            "Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76\n" +
+            "kPKugTANBgkqhkiG9w0BAQsFAAOCAgEAf+D+hKfs32KlzTzB5kKxMRLwudqnnj+9\n" +
+            "llK2/FV0ZD7k/36q9z4GGF9zhfjI4GcbTZfKBdA3BzNkm+Z4dxSaVbsqrMN/yRUI\n" +
+            "g1zIwmHTcUwFCyvLo4dtoDLtsLMnl0pVjQEqMFZoq/LaXBBzyaoKnEtMoFtRbgp+\n" +
+            "bFOAsADhHppMCjeeIIm8xeV5WLdF/9PEof3ZeD1FFnTfgkQdHYFQWrkyTOJPPw46\n" +
+            "ZVpkgzspMcSZiLzFhDnyGRLhZtDq+3Wx0ie+kVmjKwnVXL9GjtZn1gvs2qvwgBmH\n" +
+            "ZAepd7FeDOLFHWqsXSPzMHU2TsrDTrBNjCzOUmFj3tX17+8KayMlJjw68sPCFhk/\n" +
+            "qTK6aPnJEjw+xh//m070kLBj9dEzADBa6CT6NUSbaoDzpsx7PHNfUMQwcdh0kCcK\n" +
+            "AU6lXrH42sJhgRGuKaOP+n5MTmKxAN6S449qLtrZOF1rfA3kAarIxm2LzcDIbuRX\n" +
+            "IYr2RjDZrVGhh5amU8kexrvD61X+jNZc1cbzyrBg0tQqH4iU00wa2gyU/sFdDSrb\n" +
+            "mSld9t0WxMhNdJ6A2dCq7XvjMORH2PUVwXG4xv3u/J6yX7W3ku3/yjf2x4K0VBOb\n" +
+            "g82Hi35k9i5UOiKxxcH0pSVTmk2oD+c1S4nfGYNmZNnb0WErJBsdRET7STCHt0kj\n" +
+            "CAKK4CXz9EM=\n" +
+            "-----END CERTIFICATE-----\n"
+            ,
+            "-----BEGIN CERTIFICATE-----\n" +
+                    "MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV\n" +
+                    "BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM\n" +
+                    "T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w\n" +
+                    "HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL\n" +
+                    "MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t\n" +
+                    "VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq\n" +
+                    "hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88\n" +
+                    "8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb\n" +
+                    "GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF\n" +
+                    "qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5\n" +
+                    "CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG\n" +
+                    "KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy\n" +
+                    "n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS\n" +
+                    "rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF\n" +
+                    "YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV\n" +
+                    "HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow\n" +
+                    "4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y\n" +
+                    "YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO\n" +
+                    "BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ\n" +
+                    "BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE\n" +
+                    "ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h\n" +
+                    "aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG\n" +
+                    "9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj\n" +
+                    "Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth\n" +
+                    "rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I\n" +
+                    "AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P\n" +
+                    "ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J\n" +
+                    "kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR\n" +
+                    "9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu\n" +
+                    "5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+\n" +
+                    "65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV\n" +
+                    "y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa\n" +
+                    "hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=\n" +
+                    "-----END CERTIFICATE-----\n"};
+
+    public static byte[] signData(byte[] data) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+        // This is more or less code that has been just modified long enough that it works
+        // Don't take it as good example how to get a Privatekey
+        StringReader keyreader = new StringReader(SimpleSigner.certchain[0] + SimpleSigner.pemkey);
+        PEMParser pemparser = new PEMParser(keyreader);
+
+        X509CertificateHolder cert = (X509CertificateHolder) pemparser.readObject();
+        PrivateKeyInfo keyInfo = (PrivateKeyInfo) pemparser.readObject();
+
+        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyInfo.getEncoded());
+        KeyFactory kf = KeyFactory.getInstance("RSA");
+        PrivateKey key = kf.generatePrivate(keySpec);
+
+        // The actual signing
+
+        Cipher signer;
+        signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+
+
+        signer.init(Cipher.ENCRYPT_MODE, key);
+
+        byte[] signed_bytes = signer.doFinal(data);
+        return signed_bytes;
+    }
+}
diff --git a/tlsexternalcertprovider/src/main/res/values/strings.xml b/tlsexternalcertprovider/src/main/res/values/strings.xml
index dca6fe10..a8324931 100644
--- a/tlsexternalcertprovider/src/main/res/values/strings.xml
+++ b/tlsexternalcertprovider/src/main/res/values/strings.xml
@@ -4,5 +4,5 @@
   -->
 
 <resources>
-    <string name="app_name">ExternalCertProvider</string>
+    <string name="app_name">Blinkt Demo Provider</string>
 </resources>
diff --git a/tlsexternalcertprovider/src/test/java/de/blinkt/externalcertprovider/ExampleUnitTest.java b/tlsexternalcertprovider/src/test/java/de/blinkt/externalcertprovider/SignDataTest.java
index 785f56a9..7b4e0764 100644
--- a/tlsexternalcertprovider/src/test/java/de/blinkt/externalcertprovider/ExampleUnitTest.java
+++ b/tlsexternalcertprovider/src/test/java/de/blinkt/externalcertprovider/SignDataTest.java
@@ -5,8 +5,10 @@
 
 package de.blinkt.externalcertprovider;
 
+import de.blinkt.openvpn.api.ExternalCertificateProvider;
 import org.junit.Test;
 
+import static junit.framework.Assert.assertEquals;
 import static org.junit.Assert.*;
 
 /**
@@ -14,9 +16,10 @@ import static org.junit.Assert.*;
  *
  * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
  */
-public class ExampleUnitTest {
+public class SignDataTest {
     @Test
-    public void addition_isCorrect() {
-        assertEquals(4, 2 + 2);
+    public void testSignData() throws Exception
+    {
+        SimpleSigner.signData(new byte[]{1,2,3,4,5,6,7,8});
     }
 }
 \ No newline at end of file
author	Arne Schwabe <arne@rfc2549.org>	2018-08-06 18:19:41 +0200
committer	Arne Schwabe <arne@rfc2549.org>	2018-08-06 18:19:41 +0200
commit	b9ac2b15eac3e5e5f9dc89c948ec8278e2e7c1f9 (patch)
tree	63f371b4ae6555b15f76c5a13ed2e26c192895dc /tlsexternalcertprovider
parent	7b7940186fafcdf4bb15ea8e087b8cf345cd53c8 (diff)