Skip to content

Commit c6663bb

Browse files
frank10gmfrank10gm
authored
fix(aws-android-sdk-iot): Use cert chain to connect to IoT Core (#2521)
* Fix | Add possibility to use certificate chain in order to connect to IoT Core (in order to make JITP work) * dynamic byte array size * Fix illegal cast
1 parent 8455bd6 commit c6663bb

File tree

1 file changed

+30
-14
lines changed

1 file changed

+30
-14
lines changed

aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotKeystoreHelper.java

Lines changed: 30 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@
3838
import java.security.cert.CertificateFactory;
3939
import java.security.cert.X509Certificate;
4040
import java.security.spec.InvalidKeySpecException;
41+
import java.util.ArrayList;
42+
import java.util.List;
4143

4244
/**
4345
* Utility class for working with keystores, private and public keys, and
@@ -116,12 +118,16 @@ public static void saveCertificateAndPrivateKey(String certId, String certPem,
116118
throw new IllegalArgumentException("keystorePassword cannot be null");
117119
}
118120

119-
byte[] certBytes = parseDERFromPEM(certPem, AWS_IOT_PEM_BEGIN_CERT_TAG,
121+
byte[][] certBytes = parseDERFromPEM(certPem, AWS_IOT_PEM_BEGIN_CERT_TAG,
120122
AWS_IOT_PEM_END_CERT_TAG);
121123

122124
try {
123125

124-
X509Certificate cert = generateCertificateFromDER(certBytes);
126+
X509Certificate[] xCerts = new X509Certificate[certBytes.length];
127+
128+
for (int i = 0; i < certBytes.length; i++) {
129+
xCerts[i] = generateCertificateFromDER(certBytes[i]);
130+
}
125131

126132
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
127133
File keystoreFile = new File(keystorePath, keystoreName);
@@ -134,11 +140,9 @@ public static void saveCertificateAndPrivateKey(String certId, String certPem,
134140
keystore.load(fis, keystorePassword.toCharArray());
135141
fis.close();
136142

137-
keystore.setCertificateEntry(certId, cert);
143+
keystore.setCertificateEntry(certId, xCerts[0]);
138144
keystore.setKeyEntry(certId, privKey, keystorePassword.toCharArray(),
139-
new Certificate[] {
140-
cert
141-
});
145+
xCerts); // we store the chain
142146

143147
String keystoreFileAndPath;
144148

@@ -291,13 +295,17 @@ private static KeyStore getTempKeystore(KeyStore customerKeystore, String certId
291295
KeyStore tempKeystore = KeyStore.getInstance(KeyStore.getDefaultType());
292296
tempKeystore.load(null);
293297

294-
X509Certificate cert = (X509Certificate) customerKeystore.getCertificate(certId);
295-
tempKeystore.setCertificateEntry("cert-alias", cert);
298+
Certificate[] certs = customerKeystore.getCertificateChain(certId);
299+
X509Certificate[] xcerts = new X509Certificate[certs.length];
300+
301+
for (int i = 0; i < certs.length; i++) {
302+
xcerts[i] = (X509Certificate) certs[i];
303+
}
304+
305+
tempKeystore.setCertificateEntry("cert-alias", xcerts[0]);
296306
Key key = customerKeystore.getKey(certId, customerKeystorePassword.toCharArray());
297307
tempKeystore.setKeyEntry("key-alias", key,
298-
AWS_IOT_INTERNAL_KEYSTORE_PASSWORD.toCharArray(), new Certificate[] {
299-
cert
300-
});
308+
AWS_IOT_INTERNAL_KEYSTORE_PASSWORD.toCharArray(), xcerts);
301309

302310
return tempKeystore;
303311

@@ -402,10 +410,18 @@ public static void deleteKeystoreAlias(String certId, String keystorePath, Strin
402410
* @param endDelimiter beginning delimiter of PEM (ala ----END ...).
403411
* @return byte array containing certificate data parsed from PEM.
404412
*/
405-
static byte[] parseDERFromPEM(String data, String beginDelimiter, String endDelimiter) {
413+
static byte[][] parseDERFromPEM(String data, String beginDelimiter, String endDelimiter) {
406414
String[] tokens = data.split(beginDelimiter);
407-
tokens = tokens[1].split(endDelimiter);
408-
return Base64.decode(tokens[0]);
415+
List<String> newTokens = new ArrayList<>();
416+
for (int i = 1; i < tokens.length; i++) {
417+
newTokens.add(tokens[i].split(endDelimiter)[0]);
418+
}
419+
420+
byte[][] ders = new byte[newTokens.size()][];
421+
for (int i = 0; i < newTokens.size(); i++) {
422+
ders[i] = Base64.decode(newTokens.get(i));
423+
}
424+
return ders;
409425
}
410426

411427
/**

0 commit comments

Comments
 (0)