I want to create a custom OpenVpn For Android client that satisfies my requirements. In typical mode , clients have a configuration file (.ovpn file) that they use to connect to OpenVpn server. Authentication procedure can be either username/password or certificate-based. But I want key generation procedure being done in client(mobile) not in server side and private key remains completely private and server doesn't access to it.
I mean changing code of openvpn for android client to generate key pair in TEE (trusted execution environment) of mobile and then creating CSR (Certificate Signing Request) and then sending CSR file to Openvpn server and server signs CSR file and create CRT (Certificate file) and send back to client. Client stores CRT file in TEE and communicate to OpenVpn server using Private key/Certificate in next times.
Is this scenario possible? Anyone has any idea about implementing this feature?
This can easily be done in the TEE. Assuming you are using OPTEE-OS for example, then you can use the Global Platform API to generate a key pair from your Trusted Application. If you are using another TEE-OS this will of course be possible assuming they offer the functionality.
Depending on the support offered by the TEE, this is also possible. OPTEE-OS has support for X509 certificates using mbedTLS.
Or, your Client application can ask the Trusted Application to get the public key under the PEM format and call openssl, mbedTLS or any other library to create the CSR.
Your client application would have to send the certificate request and inject the signed certificate to the Trusted Application, which then will have to check if the private key and public key of the certificate matches.
This is a possible scenario, however OpenVpn will need to have a way to verify the client, and thus, will have to call a function verify/certify which will use the stored certificate and private key in the TEE.