From a969fe6659ebfa8f1882743f09eb22f7ee4ca913 Mon Sep 17 00:00:00 2001
From: Paul Stewart <pstew@google.com>
Date: Tue, 24 Jan 2017 20:29:02 -0800
Subject: Apply client chain when installing enterprise credentials

Extract the client keychain and install this as a single blob
after the client certificate within the blob.  Doing so is
backwards-compatible since wpa_supplicant will terminate at the
end of the client certificate at the end of the first
"PEM_read_bio_X509()" call when this blob is retrieved.  If
wpa_supplicant knows how, it can then retrieve the rest of the
keychain using successive PEM_read_bio_X509() calls on the same
input data.

Bug: 34688653
Test: Regression tests using WiFi testbed
Change-Id: I9251a4da59ca189a8682c632966fc305c1ec126e
---
 .../java/com/android/server/wifi/WifiKeyStore.java | 23 ++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'service')

diff --git a/service/java/com/android/server/wifi/WifiKeyStore.java b/service/java/com/android/server/wifi/WifiKeyStore.java
index b667fd4c9..e36c50188 100644
--- a/service/java/com/android/server/wifi/WifiKeyStore.java
+++ b/service/java/com/android/server/wifi/WifiKeyStore.java
@@ -85,7 +85,8 @@ public class WifiKeyStore {
         boolean ret = true;
         String privKeyName = Credentials.USER_PRIVATE_KEY + name;
         String userCertName = Credentials.USER_CERTIFICATE + name;
-        if (config.getClientCertificate() != null) {
+        Certificate[] clientCertificateChain = config.getClientCertificateChain();
+        if (clientCertificateChain != null && clientCertificateChain.length != 0) {
             byte[] privKeyData = config.getClientPrivateKey().getEncoded();
             if (mVerboseLoggingEnabled) {
                 if (isHardwareBackedKey(config.getClientPrivateKey())) {
@@ -101,7 +102,7 @@ public class WifiKeyStore {
                 return ret;
             }
 
-            ret = putCertInKeyStore(userCertName, config.getClientCertificate());
+            ret = putCertsInKeyStore(userCertName, clientCertificateChain);
             if (!ret) {
                 // Remove private key installed
                 mKeyStore.delete(privKeyName, Process.WIFI_UID);
@@ -166,9 +167,23 @@ public class WifiKeyStore {
      * @return true on success
      */
     public boolean putCertInKeyStore(String name, Certificate cert) {
+        return putCertsInKeyStore(name, new Certificate[] {cert});
+    }
+
+    /**
+     * Install a client certificate chain into the keystore.
+     *
+     * @param name The alias name of the certificate to be installed
+     * @param certs The certificate chain to be installed
+     * @return true on success
+     */
+    public boolean putCertsInKeyStore(String name, Certificate[] certs) {
         try {
-            byte[] certData = Credentials.convertToPem(cert);
-            if (mVerboseLoggingEnabled) Log.d(TAG, "putting certificate " + name + " in keystore");
+            byte[] certData = Credentials.convertToPem(certs);
+            if (mVerboseLoggingEnabled) {
+                Log.d(TAG, "putting " + certs.length + " certificate(s) "
+                        + name + " in keystore");
+            }
             return mKeyStore.put(name, certData, Process.WIFI_UID, KeyStore.FLAG_NONE);
         } catch (IOException e1) {
             return false;
-- 
cgit v1.2.3