initial client-side support for loading trusted roots and client key/cert

src/java/com/wolfssl/provider/jsse/WolfSSLSocketFactory.java

@@ -21,22 +21,29 @@
 
 package com.wolfssl.provider.jsse;
 
-import java.net.InetAddress;
+import java.util.ArrayList;
 import java.io.InputStream;
+import java.io.IOException;
 import java.net.Socket;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.KeyManager;
+import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import java.security.SecureRandom;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateEncodingException;
 
 import com.wolfssl.provider.jsse.WolfSSLParameters.TLS_VERSION;
 
 import com.wolfssl.WolfSSL;
 import com.wolfssl.WolfSSLContext;
 import com.wolfssl.WolfSSLException;
+import com.wolfssl.WolfSSLJNIException;
 
-import java.io.IOException;
-import java.net.UnknownHostException;
 
 public class WolfSSLSocketFactory extends SSLSocketFactory {
 
@@ -73,6 +80,82 @@ public class WolfSSLSocketFactory extends SSLSocketFactory {
                 "compiled into native wolfSSL library");
         }
         ctx = new WolfSSLContext(method);
+
+        try {
+            LoadTrustedRootCerts();
+            LoadClientKeyAndCert();
+
+        } catch (Exception e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+
+    private void LoadTrustedRootCerts() {
+
+        int loadedCACount = 0;
+
+        /* extract root certs from X509TrustManager */
+        X509TrustManager tm = params.getX509TrustManager();
+        X509Certificate[] caList =  tm.getAcceptedIssuers();
+
+        for (int i = 0; i < caList.length; i++) {
+
+            try {
+                byte[] derCert = caList[i].getTBSCertificate();
+
+                ctx.loadVerifyBuffer(derCert, derCert.length,
+                    WolfSSL.SSL_FILETYPE_ASN1);
+
+                loadedCACount++;
+
+            } catch (CertificateEncodingException ce) {
+                /* skip loading if encoding error is encountered */
+            } catch (WolfSSLJNIException we) {
+                /* skip loading if wolfSSL fails to load der encoding */
+            }
+
+            if (loadedCACount == 0) {
+                throw new IllegalArgumentException("wolfSSL failed to load " +
+                    "any trusted CA certificates from TrustManager");
+            }
+        }
+    }
+
+    private void LoadClientKeyAndCert() throws Exception {
+
+        X509KeyManager km = params.getX509KeyManager();
+
+        /* We only load keys from algorithms enabled in native wolfSSL,
+         * and in the priority order of ECC first, then RSA */
+        ArrayList<String> keyAlgos = new ArrayList<String>();
+        if (WolfSSL.EccEnabled()) {
+            keyAlgos.add("ECC");
+        }
+        if (WolfSSL.RsaEnabled()) {
+            keyAlgos.add("RSA");
+        }
+
+        String[] keyStrings = new String[keyAlgos.size()];
+        keyStrings = keyAlgos.toArray(keyStrings);
+
+        String alias = km.chooseClientAlias(keyStrings, null, null);
+
+        /* client private key */
+        PrivateKey privKey = km.getPrivateKey(alias);
+        byte[] privKeyEncoded = privKey.getEncoded();
+        /* TODO: check PrivateKey.getFormat() is acceptable before loading */
+
+        try {
+            ctx.usePrivateKeyBuffer(privKeyEncoded, privKeyEncoded.length,
+                WolfSSL.SSL_FILETYPE_ASN1);
+        } catch (WolfSSLJNIException e) {
+            throw new Exception("Error loading client private key");
+        }
+
+        /* client certificate */
+        X509Certificate[] cert = km.getCertificateChain(alias);
+        /* TODO: convert cert[] to byte array, load with
+           ctx.useCertificateBuffer() */
     }
 
     @Override