android: Load the private key and certificates separately in android_creds_t

3 files changed, 36 insertions, 43 deletions

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_creds.c b/src/frontends/android/jni/libandroidbridge/backend/android_creds.c
index 931f22316..e0f6e8e6f 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_creds.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_creds.c
@@ -143,7 +143,6 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 {
 	linked_list_t *encodings;
 	certificate_t *cert = NULL, *ca_cert;
-	private_key_t *key = NULL;
 	chunk_t *current;
 
 	encodings = charonservice->get_user_certificate(charonservice);
@@ -154,31 +153,21 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 
 	while (encodings->remove_first(encodings, (void**)&current) == SUCCESS)
 	{
-		if (!key)
-		{	/* the first element is the private key, we assume RSA */
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_BLOB_ASN1_DER, *current, BUILD_END);
-			if (key)
-			{
-				this->creds->add_key(this->creds, key);
-				free_encoding(current);
-				continue;
-			}
-			goto failed;
-		}
 		if (!cert)
-		{	/* the next element is the user certificate */
+		{	/* the first element is the user certificate */
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									  BUILD_BLOB_ASN1_DER, *current, BUILD_END);
-			if (cert)
+			if (!cert)
 			{
-				DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
-					 cert->get_subject(cert));
-				cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+				DBG1(DBG_CFG, "failed to load user certificate");
 				free_encoding(current);
-				continue;
+				break;
 			}
-			goto failed;
+			DBG1(DBG_CFG, "loaded user certificate '%Y' and private key",
+				 cert->get_subject(cert));
+			cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+			free_encoding(current);
+			continue;
 		}
 		/* the rest are CA certificates, we ignore failures */
 		ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -191,14 +180,26 @@ METHOD(android_creds_t, load_user_certificate, certificate_t*,
 		}
 		free_encoding(current);
 	}
-	encodings->destroy(encodings);
-	return cert;
-
-failed:
-	DBG1(DBG_CFG, "failed to load user certificate and private key");
-	free_encoding(current);
 	encodings->destroy_function(encodings, (void*)free_encoding);
-	return NULL;
+
+	if (cert)
+	{
+		private_key_t *key;
+
+		key = charonservice->get_user_key(charonservice,
+										  cert->get_public_key(cert));
+		if (key)
+		{
+			this->creds->add_key(this->creds, key);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "failed to load private key");
+			cert->destroy(cert);
+			cert = NULL;
+		}
+	}
+	return cert;
 }
 
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
diff --git a/src/frontends/android/jni/libandroidbridge/charonservice.h b/src/frontends/android/jni/libandroidbridge/charonservice.h
index 367c76cd0..376f55014 100644
--- a/src/frontends/android/jni/libandroidbridge/charonservice.h
+++ b/src/frontends/android/jni/libandroidbridge/charonservice.h
@@ -86,12 +86,12 @@ struct charonservice_t {
 	linked_list_t *(*get_trusted_certificates)(charonservice_t *this);
 
 	/**
-	 * Get the configured user certificate chain and private key via JNI
+	 * Get the configured user certificate chain via JNI
 	 *
-	 * The first item in the returned list is the private key, followed by the
-	 * user certificate and any remaining elements of the certificate chain.
+	 * The first item in the returned list is the  user certificate followed
+	 * by any remaining elements of the certificate chain.
 	 *
-	 * @return				list of DER encoded objects (as chunk_t*),
+	 * @return				list of DER encoded certificates (as chunk_t*),
 	 *						NULL on failure
 	 */
 	linked_list_t *(*get_user_certificate)(charonservice_t *this);
diff --git a/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java b/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java
index 966fdb924..924781948 100644
--- a/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java
+++ b/src/frontends/android/src/org/strongswan/android/logic/CharonVpnService.java
@@ -427,14 +427,13 @@ public class CharonVpnService extends VpnService implements Runnable
 	}
 
 	/**
-	 * Function called via JNI to get a list containing the DER encoded private key
-	 * and DER encoded certificates of the user selected certificate chain (beginning
-	 * with the user certificate).
+	 * Function called via JNI to get a list containing the DER encoded certificates
+	 * of the user selected certificate chain (beginning with the user certificate).
 	 *
 	 * Since this method is called from a thread of charon's thread pool we are safe
 	 * to call methods on KeyChain directly.
 	 *
-	 * @return list containing the private key and certificates (first element is the key)
+	 * @return list containing the certificates (first element is the user certificate)
 	 * @throws InterruptedException
 	 * @throws KeyChainException
 	 * @throws CertificateEncodingException
@@ -442,14 +441,7 @@ public class CharonVpnService extends VpnService implements Runnable
 	private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException
 	{
 		ArrayList<byte[]> encodings = new ArrayList<byte[]>();
-		String alias = mCurrentUserCertificateAlias;
-		PrivateKey key = KeyChain.getPrivateKey(getApplicationContext(), alias);
-		if (key == null)
-		{
-			return null;
-		}
-		encodings.add(key.getEncoded());
-		X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), alias);
+		X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias);
 		if (chain == null || chain.length == 0)
 		{
 			return null;