Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 275fce8a authored by Selim Gurun's avatar Selim Gurun
Browse files

Use private key context when necessary 

Bug: 6249185

Due to recent changes to keystore, we cannot rely on encoded key
format anymore. Rather we receive the key context (a pointer to
private key really) and pass it to native openssl. We also keep
the original logic however.

Change-Id: Iefe9f0336dd5f47eec4222fcb6fec58807e7cac0
parent dd8412d4

core/java/android/webkit/BrowserFrame.java

+22 −5
Original line number Diff line number Diff line
@@ -56,6 +56,8 @@ import java.util.Map; 
import java.util.Set;



import org.apache.harmony.security.provider.cert.X509CertImpl;

import org.apache.harmony.xnet.provider.jsse.OpenSSLDSAPrivateKey;

import org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey;



class BrowserFrame extends Handler {
@@ -1104,12 +1106,23 @@ class BrowserFrame extends Handler { 
        SslClientCertLookupTable table = SslClientCertLookupTable.getInstance();

        if (table.IsAllowed(hostAndPort)) {

            // previously allowed

            PrivateKey pkey = table.PrivateKey(hostAndPort);

            if (pkey instanceof OpenSSLRSAPrivateKey) {

                nativeSslClientCert(handle,

                                table.PrivateKey(hostAndPort),

                                    ((OpenSSLRSAPrivateKey)pkey).getPkeyContext(),

                                    table.CertificateChain(hostAndPort));

            } else if (pkey instanceof OpenSSLDSAPrivateKey) {

                nativeSslClientCert(handle,

                                    ((OpenSSLDSAPrivateKey)pkey).getPkeyContext(),

                                    table.CertificateChain(hostAndPort));

            } else {

                nativeSslClientCert(handle,

                                    pkey.getEncoded(),

                                    table.CertificateChain(hostAndPort));

            }

        } else if (table.IsDenied(hostAndPort)) {

            // previously denied

            nativeSslClientCert(handle, null, null);

            nativeSslClientCert(handle, 0, null);

        } else {

            // previously ignored or new

            mCallbackProxy.onReceivedClientCertRequest(
@@ -1296,7 +1309,11 @@ class BrowserFrame extends Handler { 
    private native void nativeSslCertErrorCancel(int handle, int certError);



    native void nativeSslClientCert(int handle,

                                    byte[] pkcs8EncodedPrivateKey,

                                    int ctx,

                                    byte[][] asn1DerEncodedCertificateChain);



    native void nativeSslClientCert(int handle,

                                    byte[] pkey,

                                    byte[][] asn1DerEncodedCertificateChain);



    /**

core/java/android/webkit/ClientCertRequestHandler.java

+39 −12
Original line number Diff line number Diff line
@@ -21,6 +21,8 @@ import java.security.PrivateKey; 
import java.security.cert.CertificateEncodingException;

import java.security.cert.X509Certificate;

import org.apache.harmony.xnet.provider.jsse.NativeCrypto;

import org.apache.harmony.xnet.provider.jsse.OpenSSLDSAPrivateKey;

import org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey;



/**

 * ClientCertRequestHandler: class responsible for handling client
@@ -50,24 +52,49 @@ public final class ClientCertRequestHandler extends Handler { 
     * Proceed with the specified private key and client certificate chain.

     */

    public void proceed(PrivateKey privateKey, X509Certificate[] chain) {

        final byte[] privateKeyBytes = privateKey.getEncoded();

        final byte[][] chainBytes;

        try {

            chainBytes = NativeCrypto.encodeCertificates(chain);

            mTable.Allow(mHostAndPort, privateKeyBytes, chainBytes);

            byte[][] chainBytes = NativeCrypto.encodeCertificates(chain);

            mTable.Allow(mHostAndPort, privateKey, chainBytes);



            if (privateKey instanceof OpenSSLRSAPrivateKey) {

                setSslClientCertFromCtx(((OpenSSLRSAPrivateKey)privateKey).getPkeyContext(),

                           chainBytes);

            } else if (privateKey instanceof OpenSSLDSAPrivateKey) {

                setSslClientCertFromCtx(((OpenSSLDSAPrivateKey)privateKey).getPkeyContext(),

                           chainBytes);

            } else {

                setSslClientCertFromPKCS8(privateKey.getEncoded(),chainBytes);

            }

        } catch (CertificateEncodingException e) {

            post(new Runnable() {

                    public void run() {

                        mBrowserFrame.nativeSslClientCert(mHandle, privateKeyBytes, chainBytes);

                        mBrowserFrame.nativeSslClientCert(mHandle, 0, null);

                        return;

                    }

                });

        } catch (CertificateEncodingException e) {

        }

    }



    /**

     * Proceed with the specified private key bytes and client certificate chain.

     */

    private void setSslClientCertFromCtx(final int ctx, final byte[][] chainBytes) {

        post(new Runnable() {

                public void run() {

                        mBrowserFrame.nativeSslClientCert(mHandle, null, null);

                        return;

                    mBrowserFrame.nativeSslClientCert(mHandle, ctx, chainBytes);

                }

            });

    }



    /**

     * Proceed with the specified private key context and client certificate chain.

     */

    private void setSslClientCertFromPKCS8(final byte[] key, final byte[][] chainBytes) {

        post(new Runnable() {

                public void run() {

                    mBrowserFrame.nativeSslClientCert(mHandle, key, chainBytes);

                }

            });

    }



    /**
@@ -76,7 +103,7 @@ public final class ClientCertRequestHandler extends Handler { 
    public void ignore() {

        post(new Runnable() {

                public void run() {

                    mBrowserFrame.nativeSslClientCert(mHandle, null, null);

                    mBrowserFrame.nativeSslClientCert(mHandle, 0, null);

                }

            });

    }
@@ -88,7 +115,7 @@ public final class ClientCertRequestHandler extends Handler { 
        mTable.Deny(mHostAndPort);

        post(new Runnable() {

                public void run() {

                    mBrowserFrame.nativeSslClientCert(mHandle, null, null);

                    mBrowserFrame.nativeSslClientCert(mHandle, 0, null);

                }

            });

    }

core/java/android/webkit/SslClientCertLookupTable.java

+5 −4
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package android.webkit;



import java.security.PrivateKey;

import java.util.HashMap;

import java.util.HashSet;

import java.util.Map;
@@ -26,7 +27,7 @@ import java.util.Set; 
 */

final class SslClientCertLookupTable {

    private static SslClientCertLookupTable sTable;

    private final Map<String, byte[]> privateKeys;

    private final Map<String, PrivateKey> privateKeys;

    private final Map<String, byte[][]> certificateChains;

    private final Set<String> denied;
@@ -38,12 +39,12 @@ final class SslClientCertLookupTable { 
    }



    private SslClientCertLookupTable() {

        privateKeys = new HashMap<String, byte[]>();

        privateKeys = new HashMap<String, PrivateKey>();

        certificateChains = new HashMap<String, byte[][]>();

        denied = new HashSet<String>();

    }



    public void Allow(String host_and_port, byte[] privateKey, byte[][] chain) {

    public void Allow(String host_and_port, PrivateKey privateKey, byte[][] chain) {

        privateKeys.put(host_and_port, privateKey);

        certificateChains.put(host_and_port, chain);

        denied.remove(host_and_port);
@@ -63,7 +64,7 @@ final class SslClientCertLookupTable { 
        return denied.contains(host_and_port);

    }



    public byte[] PrivateKey(String host_and_port) {

    public PrivateKey PrivateKey(String host_and_port) {

        return privateKeys.get(host_and_port);

    }