android: Load the private key and certificates separately in android_creds_t
This commit is contained in:
Tobias Brunner
parent
406d680e45
commit
64595464b2
|
|
@ -143,7 +143,6 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
|||
{
|
||||
linked_list_t *encodings;
|
||||
certificate_t *cert = NULL, *ca_cert;
|
||||
private_key_t *key = NULL;
|
||||
chunk_t *current;
|
||||
|
||||
encodings = charonservice->get_user_certificate(charonservice);
|
||||
|
|
@ -154,31 +153,21 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
|||
|
||||
while (encodings->remove_first(encodings, (void**)¤t) == SUCCESS)
|
||||
{
|
||||
if (!key)
|
||||
{ /* the first element is the private key, we assume RSA */
|
||||
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
|
||||
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
||||
if (key)
|
||||
{
|
||||
this->creds->add_key(this->creds, key);
|
||||
free_encoding(current);
|
||||
continue;
|
||||
}
|
||||
goto failed;
|
||||
}
|
||||
if (!cert)
|
||||
{ /* the next element is the user certificate */
|
||||
{ /* the first element is the user certificate */
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
||||
if (cert)
|
||||
if (!cert)
|
||||
{
|
||||
DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
|
||||
cert->get_subject(cert));
|
||||
cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
|
||||
DBG1(DBG_CFG, "failed to load user certificate");
|
||||
free_encoding(current);
|
||||
continue;
|
||||
break;
|
||||
}
|
||||
goto failed;
|
||||
DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
|
||||
cert->get_subject(cert));
|
||||
cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
|
||||
free_encoding(current);
|
||||
continue;
|
||||
}
|
||||
/* the rest are CA certificates, we ignore failures */
|
||||
ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
|
|
@ -191,14 +180,26 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
|||
}
|
||||
free_encoding(current);
|
||||
}
|
||||
encodings->destroy(encodings);
|
||||
return cert;
|
||||
|
||||
failed:
|
||||
DBG1(DBG_CFG, "failed to load user certificate and private key");
|
||||
free_encoding(current);
|
||||
encodings->destroy_function(encodings, (void*)free_encoding);
|
||||
return NULL;
|
||||
|
||||
if (cert)
|
||||
{
|
||||
private_key_t *key;
|
||||
|
||||
key = charonservice->get_user_key(charonservice,
|
||||
cert->get_public_key(cert));
|
||||
if (key)
|
||||
{
|
||||
this->creds->add_key(this->creds, key);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_CFG, "failed to load private key");
|
||||
cert->destroy(cert);
|
||||
cert = NULL;
|
||||
}
|
||||
}
|
||||
return cert;
|
||||
}
|
||||
|
||||
METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
|
||||
|
|
|
|||
|
|
@ -86,12 +86,12 @@ struct charonservice_t {
|
|||
linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
|
||||
|
||||
/**
|
||||
* Get the configured user certificate chain and private key via JNI
|
||||
* Get the configured user certificate chain via JNI
|
||||
*
|
||||
* The first item in the returned list is the private key, followed by the
|
||||
* user certificate and any remaining elements of the certificate chain.
|
||||
* The first item in the returned list is the user certificate followed
|
||||
* by any remaining elements of the certificate chain.
|
||||
*
|
||||
* @return list of DER encoded objects (as chunk_t*),
|
||||
* @return list of DER encoded certificates (as chunk_t*),
|
||||
* NULL on failure
|
||||
*/
|
||||
linked_list_t *(*get_user_certificate)(charonservice_t *this);
|
||||
|
|
|
|||
|
|
@ -427,14 +427,13 @@ public class CharonVpnService extends VpnService implements Runnable
|
|||
}
|
||||
|
||||
/**
|
||||
* Function called via JNI to get a list containing the DER encoded private key
|
||||
* and DER encoded certificates of the user selected certificate chain (beginning
|
||||
* with the user certificate).
|
||||
* Function called via JNI to get a list containing the DER encoded certificates
|
||||
* of the user selected certificate chain (beginning with the user certificate).
|
||||
*
|
||||
* Since this method is called from a thread of charon's thread pool we are safe
|
||||
* to call methods on KeyChain directly.
|
||||
*
|
||||
* @return list containing the private key and certificates (first element is the key)
|
||||
* @return list containing the certificates (first element is the user certificate)
|
||||
* @throws InterruptedException
|
||||
* @throws KeyChainException
|
||||
* @throws CertificateEncodingException
|
||||
|
|
@ -442,14 +441,7 @@ public class CharonVpnService extends VpnService implements Runnable
|
|||
private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
|
||||
{
|
||||
ArrayList<byte[]> encodings = new ArrayList<byte[]>();
|
||||
String alias = mCurrentUserCertificateAlias;
|
||||
PrivateKey key = KeyChain.getPrivateKey(getApplicationContext(), alias);
|
||||
if (key == null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
encodings.add(key.getEncoded());
|
||||
X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), alias);
|
||||
X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias);
|
||||
if (chain == null || chain.length == 0)
|
||||
{
|
||||
return null;
|
||||
|
|
|
|||
Loading…
Reference in New Issue