From 0d5277d7380ed5ae61216c7041bbafe934827613 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 15 Jun 2021 16:45:45 +0200
Subject: Number of miscellenous fixes and clean ups

---
 .../openvpn/api/ExternalCertificateProvider.aidl   | 21 +++++++-
 .../externalcertprovider/ExternalCertService.java  | 58 ++++++++++++----------
 .../blinkt/externalcertprovider/SimpleSigner.java  |  7 ++-
 3 files changed, 55 insertions(+), 31 deletions(-)

(limited to 'tlsexternalcertprovider/src')

diff --git a/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl b/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
index c6db965b..951cff96 100644
--- a/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
+++ b/tlsexternalcertprovider/src/main/aidl/de/blinkt/openvpn/api/ExternalCertificateProvider.aidl
@@ -1,16 +1,16 @@
 // ExternalCertificateProvider.aidl
 package de.blinkt.openvpn.api;
 
-
 /*
  * This is very simple interface that is specialised to have only the minimal set of crypto
  * operation that are needed for OpenVPN to authenticate with an external certificate
  */
 interface ExternalCertificateProvider {
     /**
+     * @deprecated use {@link #getSignedDataWithExtra} instead
      * Requests signing the data with RSA/ECB/PKCS1PADDING
      * for RSA certficate and with NONEwithECDSA for EC certificates
-     * @parm alias the parameter that
+     * @param alias user certificate identifier
      */
     byte[] getSignedData(in String alias, in byte[] data);
 
@@ -36,4 +36,21 @@ interface ExternalCertificateProvider {
      *
      */
     Bundle getCertificateMetaData(in String alias);
+
+    /**
+     * Requests signing the data with RSA/ECB/PKCS1PADDING or RSA/ECB/nopadding
+     * for RSA certficate and with NONEwithECDSA for EC certificates
+     * @param alias user certificate identifier
+     * @param data the data to be signed
+     * @param extra additional information.
+     * Should contain the following keys:
+     * <p><ul>
+       * <li>int key "de.blinkt.openvpn.api.RSA_PADDING_TYPE", may be set as:
+       * <p><ul>
+         * <li>0 - for RSA/ECB/nopadding
+         * <li>1 - for RSA/ECB/PKCS1PADDING
+         * </ul><p>
+       * </ul><p>
+     */
+    byte[] getSignedDataWithExtra(in String alias, in byte[] data, in Bundle extra);
 }
diff --git a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
index caf382dd..a0e66456 100644
--- a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
+++ b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/ExternalCertService.java
@@ -12,21 +12,14 @@ import android.os.IBinder;
 import android.os.RemoteException;
 import android.text.TextUtils;
 import de.blinkt.openvpn.api.ExternalCertificateProvider;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
 
 import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import java.io.IOException;
-import java.io.StringReader;
 import java.security.InvalidKeyException;
-import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
 import java.security.spec.InvalidKeySpecException;
-import java.security.spec.PKCS8EncodedKeySpec;
 
 import static de.blinkt.externalcertprovider.SelectCertificateActivity.EXTRA_ALIAS;
 import static de.blinkt.externalcertprovider.SelectCertificateActivity.EXTRA_DESCRIPTION;
@@ -37,31 +30,37 @@ import static de.blinkt.externalcertprovider.SelectCertificateActivity.EXTRA_DES
  * see ExternalOpenVPNService for an example of checking caller's creditionals
  */
 public class ExternalCertService extends Service {
+    private byte[] doSign(byte[] data)
+    {
+        try {
+            return SimpleSigner.signData(data, false);
+
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (NoSuchPaddingException e) {
+            e.printStackTrace();
+        } catch (NoSuchAlgorithmException e) {
+            e.printStackTrace();
+        } catch (IllegalBlockSizeException e) {
+            e.printStackTrace();
+        } catch (BadPaddingException e) {
+            e.printStackTrace();
+        } catch (InvalidKeySpecException e) {
+            e.printStackTrace();
+        } catch (InvalidKeyException e) {
+            e.printStackTrace();
+        }
+        // Something failed, return null
+        return null;
+    }
 
     private final ExternalCertificateProvider.Stub mBinder = new ExternalCertificateProvider.Stub() {
 
+
+
         @Override
         public byte[] getSignedData(String alias, byte[] data) throws RemoteException {
-            try {
-                return SimpleSigner.signData(data);
-
-
-            } catch (IOException e) {
-                e.printStackTrace();
-            } catch (NoSuchPaddingException e) {
-                e.printStackTrace();
-            } catch (NoSuchAlgorithmException e) {
-                e.printStackTrace();
-            } catch (IllegalBlockSizeException e) {
-                e.printStackTrace();
-            } catch (BadPaddingException e) {
-                e.printStackTrace();
-            } catch (InvalidKeySpecException e) {
-                e.printStackTrace();
-            } catch (InvalidKeyException e) {
-                e.printStackTrace();
-            }
-            // Something failed, return null
+
             return null;
 
         }
@@ -79,6 +78,11 @@ public class ExternalCertService extends Service {
             b.putString(EXTRA_DESCRIPTION, "Super secret example key!");
             return b;
         }
+
+        @Override
+        public byte[] getSignedDataWithExtra(String alias, byte[] data, Bundle extra) throws RemoteException {
+            return new byte[0];
+        }
     };
 
 
diff --git a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java
index 7d2f6786..ecce2c84 100644
--- a/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java
+++ b/tlsexternalcertprovider/src/main/java/de/blinkt/externalcertprovider/SimpleSigner.java
@@ -120,7 +120,7 @@ public class SimpleSigner {
                     "hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=\n" +
                     "-----END CERTIFICATE-----\n"};
 
-    public static byte[] signData(byte[] data) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+    public static byte[] signData(byte[] data, boolean pkcs1padding) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
         // This is more or less code that has been just modified long enough that it works
         // Don't take it as good example how to get a Privatekey
         StringReader keyreader = new StringReader(SimpleSigner.certchain[0] + SimpleSigner.pemkey);
@@ -136,7 +136,10 @@ public class SimpleSigner {
         // The actual signing
 
         Cipher signer;
-        signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+        if (pkcs1padding)
+            signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+        else
+            signer = Cipher.getInstance("RSA/ECB/nopadding");
 
 
         signer.init(Cipher.ENCRYPT_MODE, key);
-- 
cgit v1.2.3