android: Load the private key and certificates separately in android_creds_t

2012-09-23 09:02:58 +02:00 · 2012-09-23 09:02:58 +02:00 · 64595464b2
parent 406d680e45
commit 64595464b2
3 changed files with 36 additions and 43 deletions
--- a/src/frontends/android/jni/libandroidbridge/backend/android_creds.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_creds.c
@ -143,7 +143,6 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 {
 	linked_list_t *encodings;
 	certificate_t *cert = NULL, *ca_cert;
 	private_key_t *key = NULL;
 	chunk_t *current;
 	encodings = charonservice->get_user_certificate(charonservice);
@ -154,32 +153,22 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 	while (encodings->remove_first(encodings, (void**)&current) == SUCCESS)
 	{
 		if (!key)
 		{	/* the first element is the private key, we assume RSA */
 			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 									 BUILD_BLOB_ASN1_DER, *current, BUILD_END);
 			if (key)
 			{
 				this->creds->add_key(this->creds, key);
 				free_encoding(current);
 				continue;
 			}
 			goto failed;
 		}
 		if (!cert)
-		{	/* the next element is the user certificate */
+		{	/* the first element is the user certificate */
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									  BUILD_BLOB_ASN1_DER, *current, BUILD_END);
-			if (cert)
+			if (!cert)
 			{
 				DBG1(DBG_CFG, "failed to load user certificate");
 				free_encoding(current);
 				break;
 			}
 			DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
 				 cert->get_subject(cert));
 			cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
 			free_encoding(current);
 			continue;
 		}
 			goto failed;
 		}
 		/* the rest are CA certificates, we ignore failures */
 		ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									 BUILD_BLOB_ASN1_DER, *current, BUILD_END);
@ -191,14 +180,26 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 		}
 		free_encoding(current);
 	}
 	encodings->destroy(encodings);
 	return cert;
 failed:
 	DBG1(DBG_CFG, "failed to load user certificate and private key");
 	free_encoding(current);
 	encodings->destroy_function(encodings, (void*)free_encoding);
-	return NULL;
+
 	if (cert)
 	{
 		private_key_t *key;
 		key = charonservice->get_user_key(charonservice,
 										  cert->get_public_key(cert));
 		if (key)
 		{
 			this->creds->add_key(this->creds, key);
 		}
 		else
 		{
 			DBG1(DBG_CFG, "failed to load private key");
 			cert->destroy(cert);
 			cert = NULL;
 		}
 	}
 	return cert;
 }
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
--- a/src/frontends/android/jni/libandroidbridge/charonservice.h
+++ b/src/frontends/android/jni/libandroidbridge/charonservice.h
@ -86,12 +86,12 @@ struct charonservice_t {
 	linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
 	/**
-	 * Get the configured user certificate chain and private key via JNI
+	 * Get the configured user certificate chain via JNI
 	 *
-	 * The first item in the returned list is the private key, followed by the
+	 * The first item in the returned list is the  user certificate followed
-	 * user certificate and any remaining elements of the certificate chain.
+	 * by any remaining elements of the certificate chain.
 	 *
-	 * @return				list of DER encoded objects (as chunk_t*),
+	 * @return				list of DER encoded certificates (as chunk_t*),
 	 *						NULL on failure
 	 */
 	linked_list_t *(*get_user_certificate)(charonservice_t *this);
--- a/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java
+++ b/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java
@ -427,14 +427,13 @@ public class CharonVpnService extends VpnService implements Runnable
 	}
 	/**
-	 * Function called via JNI to get a list containing the DER encoded private key
+	 * Function called via JNI to get a list containing the DER encoded certificates
-	 * and DER encoded certificates of the user selected certificate chain (beginning
+	 * of the user selected certificate chain (beginning with the user certificate).
 	 * with the user certificate).
 	 *
 	 * Since this method is called from a thread of charon's thread pool we are safe
 	 * to call methods on KeyChain directly.
 	 *
-	 * @return list containing the private key and certificates (first element is the key)
+	 * @return list containing the certificates (first element is the user certificate)
 	 * @throws InterruptedException
 	 * @throws KeyChainException
 	 * @throws CertificateEncodingException
@ -442,14 +441,7 @@ public class CharonVpnService extends VpnService implements Runnable
 	private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
 	{
 		ArrayList<byte[]> encodings = new ArrayList<byte[]>();
-		String alias = mCurrentUserCertificateAlias;
+		X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias);
 		PrivateKey key = KeyChain.getPrivateKey(getApplicationContext(), alias);
 		if (key == null)
 		{
 			return null;
 		}
 		encodings.add(key.getEncoded());
 		X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), alias);
 		if (chain == null || chain.length == 0)
 		{
 			return null;