android: Load the private key and certificates separately in android_creds_t
This commit is contained in:
parent
406d680e45
commit
64595464b2
|
@ -143,7 +143,6 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
||||||
{
|
{
|
||||||
linked_list_t *encodings;
|
linked_list_t *encodings;
|
||||||
certificate_t *cert = NULL, *ca_cert;
|
certificate_t *cert = NULL, *ca_cert;
|
||||||
private_key_t *key = NULL;
|
|
||||||
chunk_t *current;
|
chunk_t *current;
|
||||||
|
|
||||||
encodings = charonservice->get_user_certificate(charonservice);
|
encodings = charonservice->get_user_certificate(charonservice);
|
||||||
|
@ -154,32 +153,22 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
||||||
|
|
||||||
while (encodings->remove_first(encodings, (void**)¤t) == SUCCESS)
|
while (encodings->remove_first(encodings, (void**)¤t) == SUCCESS)
|
||||||
{
|
{
|
||||||
if (!key)
|
|
||||||
{ /* the first element is the private key, we assume RSA */
|
|
||||||
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
|
|
||||||
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
|
||||||
if (key)
|
|
||||||
{
|
|
||||||
this->creds->add_key(this->creds, key);
|
|
||||||
free_encoding(current);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
goto failed;
|
|
||||||
}
|
|
||||||
if (!cert)
|
if (!cert)
|
||||||
{ /* the next element is the user certificate */
|
{ /* the first element is the user certificate */
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
||||||
if (cert)
|
if (!cert)
|
||||||
{
|
{
|
||||||
|
DBG1(DBG_CFG, "failed to load user certificate");
|
||||||
|
free_encoding(current);
|
||||||
|
break;
|
||||||
|
}
|
||||||
DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
|
DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
|
||||||
cert->get_subject(cert));
|
cert->get_subject(cert));
|
||||||
cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
|
cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
|
||||||
free_encoding(current);
|
free_encoding(current);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
goto failed;
|
|
||||||
}
|
|
||||||
/* the rest are CA certificates, we ignore failures */
|
/* the rest are CA certificates, we ignore failures */
|
||||||
ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
BUILD_BLOB_ASN1_DER, *current, BUILD_END);
|
||||||
|
@ -191,14 +180,26 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
|
||||||
}
|
}
|
||||||
free_encoding(current);
|
free_encoding(current);
|
||||||
}
|
}
|
||||||
encodings->destroy(encodings);
|
|
||||||
return cert;
|
|
||||||
|
|
||||||
failed:
|
|
||||||
DBG1(DBG_CFG, "failed to load user certificate and private key");
|
|
||||||
free_encoding(current);
|
|
||||||
encodings->destroy_function(encodings, (void*)free_encoding);
|
encodings->destroy_function(encodings, (void*)free_encoding);
|
||||||
return NULL;
|
|
||||||
|
if (cert)
|
||||||
|
{
|
||||||
|
private_key_t *key;
|
||||||
|
|
||||||
|
key = charonservice->get_user_key(charonservice,
|
||||||
|
cert->get_public_key(cert));
|
||||||
|
if (key)
|
||||||
|
{
|
||||||
|
this->creds->add_key(this->creds, key);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
DBG1(DBG_CFG, "failed to load private key");
|
||||||
|
cert->destroy(cert);
|
||||||
|
cert = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return cert;
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
|
METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
|
||||||
|
|
|
@ -86,12 +86,12 @@ struct charonservice_t {
|
||||||
linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
|
linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the configured user certificate chain and private key via JNI
|
* Get the configured user certificate chain via JNI
|
||||||
*
|
*
|
||||||
* The first item in the returned list is the private key, followed by the
|
* The first item in the returned list is the user certificate followed
|
||||||
* user certificate and any remaining elements of the certificate chain.
|
* by any remaining elements of the certificate chain.
|
||||||
*
|
*
|
||||||
* @return list of DER encoded objects (as chunk_t*),
|
* @return list of DER encoded certificates (as chunk_t*),
|
||||||
* NULL on failure
|
* NULL on failure
|
||||||
*/
|
*/
|
||||||
linked_list_t *(*get_user_certificate)(charonservice_t *this);
|
linked_list_t *(*get_user_certificate)(charonservice_t *this);
|
||||||
|
|
|
@ -427,14 +427,13 @@ public class CharonVpnService extends VpnService implements Runnable
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Function called via JNI to get a list containing the DER encoded private key
|
* Function called via JNI to get a list containing the DER encoded certificates
|
||||||
* and DER encoded certificates of the user selected certificate chain (beginning
|
* of the user selected certificate chain (beginning with the user certificate).
|
||||||
* with the user certificate).
|
|
||||||
*
|
*
|
||||||
* Since this method is called from a thread of charon's thread pool we are safe
|
* Since this method is called from a thread of charon's thread pool we are safe
|
||||||
* to call methods on KeyChain directly.
|
* to call methods on KeyChain directly.
|
||||||
*
|
*
|
||||||
* @return list containing the private key and certificates (first element is the key)
|
* @return list containing the certificates (first element is the user certificate)
|
||||||
* @throws InterruptedException
|
* @throws InterruptedException
|
||||||
* @throws KeyChainException
|
* @throws KeyChainException
|
||||||
* @throws CertificateEncodingException
|
* @throws CertificateEncodingException
|
||||||
|
@ -442,14 +441,7 @@ public class CharonVpnService extends VpnService implements Runnable
|
||||||
private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
|
private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
|
||||||
{
|
{
|
||||||
ArrayList<byte[]> encodings = new ArrayList<byte[]>();
|
ArrayList<byte[]> encodings = new ArrayList<byte[]>();
|
||||||
String alias = mCurrentUserCertificateAlias;
|
X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias);
|
||||||
PrivateKey key = KeyChain.getPrivateKey(getApplicationContext(), alias);
|
|
||||||
if (key == null)
|
|
||||||
{
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
encodings.add(key.getEncoded());
|
|
||||||
X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), alias);
|
|
||||||
if (chain == null || chain.length == 0)
|
if (chain == null || chain.length == 0)
|
||||||
{
|
{
|
||||||
return null;
|
return null;
|
||||||
|
|
Loading…
Reference in New Issue