android: Load the private key and certificates separately in android_creds_t
authorTobias Brunner <tobias@strongswan.org>
Sun, 23 Sep 2012 07:02:58 +0000 (09:02 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 24 Sep 2012 15:12:18 +0000 (17:12 +0200)
src/frontends/android/jni/libandroidbridge/backend/android_creds.c
src/frontends/android/jni/libandroidbridge/charonservice.h
src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java

index 931f223..e0f6e8e 100644 (file)
@@ -143,7 +143,6 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 {
        linked_list_t *encodings;
        certificate_t *cert = NULL, *ca_cert;
-       private_key_t *key = NULL;
        chunk_t *current;
 
        encodings = charonservice->get_user_certificate(charonservice);
@@ -154,31 +153,21 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 
        while (encodings->remove_first(encodings, (void**)&current) == SUCCESS)
        {
-               if (!key)
-               {       /* the first element is the private key, we assume RSA */
-                       key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-                                                                        BUILD_BLOB_ASN1_DER, *current, BUILD_END);
-                       if (key)
-                       {
-                               this->creds->add_key(this->creds, key);
-                               free_encoding(current);
-                               continue;
-                       }
-                       goto failed;
-               }
                if (!cert)
-               {       /* the next element is the user certificate */
+               {       /* the first element is the user certificate */
                        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                                          BUILD_BLOB_ASN1_DER, *current, BUILD_END);
-                       if (cert)
+                       if (!cert)
                        {
-                               DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
-                                        cert->get_subject(cert));
-                               cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+                               DBG1(DBG_CFG, "failed to load user certificate");
                                free_encoding(current);
-                               continue;
+                               break;
                        }
-                       goto failed;
+                       DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
+                                cert->get_subject(cert));
+                       cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+                       free_encoding(current);
+                       continue;
                }
                /* the rest are CA certificates, we ignore failures */
                ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -191,14 +180,26 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
                }
                free_encoding(current);
        }
-       encodings->destroy(encodings);
-       return cert;
-
-failed:
-       DBG1(DBG_CFG, "failed to load user certificate and private key");
-       free_encoding(current);
        encodings->destroy_function(encodings, (void*)free_encoding);
-       return NULL;
+
+       if (cert)
+       {
+               private_key_t *key;
+
+               key = charonservice->get_user_key(charonservice,
+                                                                                 cert->get_public_key(cert));
+               if (key)
+               {
+                       this->creds->add_key(this->creds, key);
+               }
+               else
+               {
+                       DBG1(DBG_CFG, "failed to load private key");
+                       cert->destroy(cert);
+                       cert = NULL;
+               }
+       }
+       return cert;
 }
 
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
index 367c76c..376f550 100644 (file)
@@ -86,12 +86,12 @@ struct charonservice_t {
        linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
 
        /**
-        * Get the configured user certificate chain and private key via JNI
+        * Get the configured user certificate chain via JNI
         *
-        * The first item in the returned list is the private key, followed by the
-        * user certificate and any remaining elements of the certificate chain.
+        * The first item in the returned list is the  user certificate followed
+        * by any remaining elements of the certificate chain.
         *
-        * @return                              list of DER encoded objects (as chunk_t*),
+        * @return                              list of DER encoded certificates (as chunk_t*),
         *                                              NULL on failure
         */
        linked_list_t *(*get_user_certificate)(charonservice_t *this);
index 966fdb9..9247819 100644 (file)
@@ -427,14 +427,13 @@ public class CharonVpnService extends VpnService implements Runnable
        }
 
        /**
-        * Function called via JNI to get a list containing the DER encoded private key
-        * and DER encoded certificates of the user selected certificate chain (beginning
-        * with the user certificate).
+        * Function called via JNI to get a list containing the DER encoded certificates
+        * of the user selected certificate chain (beginning with the user certificate).
         *
         * Since this method is called from a thread of charon's thread pool we are safe
         * to call methods on KeyChain directly.
         *
-        * @return list containing the private key and certificates (first element is the key)
+        * @return list containing the certificates (first element is the user certificate)
         * @throws InterruptedException
         * @throws KeyChainException
         * @throws CertificateEncodingException
@@ -442,14 +441,7 @@ public class CharonVpnService extends VpnService implements Runnable
        private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
        {
                ArrayList<byte[]> encodings = new ArrayList<byte[]>();
-               String alias = mCurrentUserCertificateAlias;
-               PrivateKey key = KeyChain.getPrivateKey(getApplicationContext(), alias);
-               if (key == null)
-               {
-                       return null;
-               }
-               encodings.add(key.getEncoded());
-               X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), alias);
+               X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias);
                if (chain == null || chain.length == 0)
                {
                        return null;