/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012-2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* for more details.
*/
+#include <unistd.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <time.h>
+
#include "android_creds.h"
#include "../charonservice.h"
#include <credentials/sets/mem_cred.h>
#include <threading/rwlock.h>
+#define CRL_PREFIX "crl-"
+
typedef struct private_android_creds_t private_android_creds_t;
/**
* TRUE if certificates have been loaded via JNI
*/
bool loaded;
+
+ /**
+ * Directory for CRLs
+ */
+ char *crldir;
};
/**
}
}
+/**
+ * Load a CRL from a file
+ */
+static void load_crl(private_android_creds_t *this, char *file)
+{
+ certificate_t *cert;
+ time_t now, notAfter;
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+ BUILD_FROM_FILE, file, BUILD_END);
+ if (cert)
+ {
+ now = time(NULL);
+ if (cert->get_validity(cert, &now, NULL, ¬After))
+ {
+ DBG1(DBG_CFG, "loaded crl issued by '%Y'", cert->get_issuer(cert));
+ this->creds->add_crl(this->creds, (crl_t*)cert);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "deleted crl issued by '%Y', expired (%V ago)",
+ cert->get_issuer(cert), &now, ¬After);
+ unlink(file);
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, "loading crl failed");
+ unlink(file);
+ }
+}
+
+/**
+ * Load cached CRLs
+ */
+static void load_crls(private_android_creds_t *this)
+{
+ enumerator_t *enumerator;
+ struct stat st;
+ char *rel, *abs;
+
+ enumerator = enumerator_create_directory(this->crldir);
+ if (enumerator)
+ {
+ while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+ {
+ if (S_ISREG(st.st_mode) && strpfx(rel, CRL_PREFIX))
+ {
+ load_crl(this, abs);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " reading directory '%s' failed", this->crldir);
+ }
+}
+
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
private_android_creds_t *this, certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
enumerator_t *enumerator;
- if (cert != CERT_ANY && cert != CERT_X509)
+ switch (cert)
{
- return NULL;
+ case CERT_ANY:
+ case CERT_X509:
+ case CERT_X509_CRL:
+ break;
+ default:
+ return NULL;
}
this->lock->read_lock(this->lock);
if (!this->loaded)
/* check again after acquiring the write lock */
if (!this->loaded)
{
+ load_crls(this);
load_trusted_certificates(this);
this->loaded = TRUE;
}
this->lock);
}
+METHOD(credential_set_t, cache_cert, void,
+ private_android_creds_t *this, certificate_t *cert)
+{
+ if (this->crldir && cert->get_type(cert) == CERT_X509_CRL)
+ {
+ /* CRLs get written to /<app>/<path>/crl-<authkeyId>[-delta] */
+ crl_t *crl = (crl_t*)cert;
+
+ cert->get_ref(cert);
+ if (this->creds->add_crl(this->creds, crl))
+ {
+ char buf[BUF_LEN];
+ chunk_t chunk, hex;
+ bool is_delta_crl;
+
+ is_delta_crl = crl->is_delta_crl(crl, NULL);
+ chunk = crl->get_authKeyIdentifier(crl);
+ hex = chunk_to_hex(chunk, NULL, FALSE);
+ snprintf(buf, sizeof(buf), "%s/%s%s%s", this->crldir, CRL_PREFIX,
+ hex.ptr, is_delta_crl ? "-delta" : "");
+ free(hex.ptr);
+
+ if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+ {
+ if (chunk_write(chunk, buf, 022, TRUE))
+ {
+ DBG1(DBG_CFG, " written crl to file (%d bytes)",
+ chunk.len);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " writing crl to file failed: %s",
+ strerror(errno));
+ }
+ free(chunk.ptr);
+ }
+ }
+ }
+}
+
METHOD(android_creds_t, add_username_password, void,
private_android_creds_t *this, char *username, char *password)
{
clear(this);
this->creds->destroy(this->creds);
this->lock->destroy(this->lock);
+ free(this->crldir);
free(this);
}
/**
* Described in header.
*/
-android_creds_t *android_creds_create()
+android_creds_t *android_creds_create(char *crldir)
{
private_android_creds_t *this;
.create_shared_enumerator = _create_shared_enumerator,
.create_private_enumerator = _create_private_enumerator,
.create_cdp_enumerator = (void*)return_null,
- .cache_cert = (void*)nop,
+ .cache_cert = _cache_cert,
},
.add_username_password = _add_username_password,
.load_user_certificate = _load_user_certificate,
},
.creds = mem_cred_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .crldir = strdupnull(crldir),
);
return &this->public;
PLUGIN_CALLBACK(charonservice_register, NULL),
PLUGIN_PROVIDE(CUSTOM, "android-backend"),
PLUGIN_DEPENDS(CUSTOM, "libcharon"),
+ PLUGIN_DEPENDS(CERT_DECODE, CERT_X509_CRL),
PLUGIN_REGISTER(FETCHER, android_fetcher_create),
PLUGIN_PROVIDE(FETCHER, "http://"),
PLUGIN_PROVIDE(FETCHER, "https://"),
.get_network_manager = _get_network_manager,
},
.attr = android_attr_create(),
- .creds = android_creds_create(),
+ .creds = android_creds_create(appdir),
.builder = vpnservice_builder_create(builder),
.network_manager = network_manager_create(service),
.sockets = linked_list_create(),