store certificates from config events

Author: scareything

lib/Ziti.swift

@@ -334,7 +334,7 @@ import CZitiPrivate
             _ = zkc.deleteCertificate(silent: true)
             let (err, cns) = zkc.storeCertificates(cert)
             guard err == nil else {
-                let errStr = "Unable to store certificate\n"
+                let errStr = "Unable to store certificates\n"
                 log.error(errStr, function:"enroll()")
                 enrollCallback(nil, ZitiError(errStr))
                 return
@@ -418,6 +418,7 @@ import CZitiPrivate
             model_list_append(&ctrls, c.cstring)
         }
 
+        // ziti_context_init copies strings (strdup) for its own use, so it's ok to use references to swift strings here.
         var zitiCfg = ziti_config(
             controller_url: id.ztAPI.cstring,
             controllers: ctrls,
@@ -445,7 +446,7 @@ import CZitiPrivate
                                 pq_domain_cb: postureChecks?.domainQuery != nil ? Ziti.onDomainQuery : nil,
                                 app_ctx: self.toVoidPtr(),
                                 events: ZitiContextEvent.rawValue | ZitiRouterEvent.rawValue | ZitiServiceEvent.rawValue | ZitiAuthEvent.rawValue | ZitiConfigEvent.rawValue,
-                                    event_cb: Ziti.onEvent, cert_extension_window: 0)
+                                    event_cb: Ziti.onEvent, cert_extension_window: 30)
 
         zitiStatus = ziti_context_set_options(self.ztx, &zitiOpts)
         guard zitiStatus == Ziti.ZITI_OK else {
@@ -902,6 +903,15 @@ import CZitiPrivate
         // update ourself
         if event.type == ZitiEvent.EventType.ConfigEvent {
             mySelf.id.ztAPI = event.configEvent!.controllerUrl
+            mySelf.id.ztAPIs = event.configEvent!.controllers
+            let zkc = ZitiKeychain(tag: mySelf.id.id)
+            _ = zkc.deleteCertificate()
+            let (zErr, certCNs) = zkc.storeCertificates(event.configEvent!.cert)
+            if zErr != nil {
+                log.warn("failed to store certificates: \(zErr!.localizedDescription)", function:"onEvent()")
+            } else {
+                mySelf.id.certCNs = certCNs
+            }
             mySelf.id.ca = event.configEvent!.caBundle
         }
 
@@ -1125,7 +1135,14 @@ func scan<
 }
 
 extension String {
+    // use only when scope of c string matches scope of swift string.
     var cstring: UnsafePointer<CChar> {
         (self as NSString).cString(using: String.Encoding.utf8.rawValue)!
     }
+    // use when c string needs to outlive swift string. caller must deallocate() the returned buffer when no longer needed.
+    var allocatedcString: UnsafeMutablePointer<CChar> {
+        let buf = UnsafeMutablePointer<CChar>.allocate(capacity: self.count + 1)
+        buf.initialize(from: self, count: self.count + 1)
+        return buf
+    }
 }

lib/ZitiEvent.swift

@@ -271,8 +271,8 @@ import CZitiPrivate
         @objc public let controllerUrl:String
         @objc public let controllers:[String]
         @objc public let cfgSource:String
-        
-        @objc public let caBundle:String // todo encapsulate ziti_id_cfg_s?
+        @objc public let cert:String
+        @objc public let caBundle:String
 
         init( _ cEvent:ziti_config_event) {
             var str = ""
@@ -295,6 +295,12 @@ import CZitiPrivate
                 caStr = String(cString: cStr)
             }
             caBundle = caStr
+            
+            var certStr = ""
+            if let cStr = cEvent.config.pointee.id.cert {
+                certStr = String(cString: cStr)
+            }
+            cert = certStr
 
             var ctrlsArray:[String] = []
             var ctrlList = cEvent.config.pointee.controllers
@@ -383,6 +389,7 @@ import CZitiPrivate
             str += "   controllers: \(e.controllers))\n"
             str += "   cfgSource: \(e.cfgSource)\n"
             str += "   caBundle: \(e.caBundle)\n"
+            str += "   cert: \(e.cert)\n"
         }
         return str
     }

lib/ZitiTunnel.swift

@@ -349,6 +349,16 @@ public class ZitiTunnel : NSObject, ZitiUnretained {
             if !event.caBundle.isEmpty {
                 ziti.id.ca = event.caBundle
             }
+            if !event.certPEM.isEmpty {
+                let zkc = ZitiKeychain(tag: ziti.id.id)
+                _ = zkc.deleteCertificate()
+                let (zErr, certCNs) = zkc.storeCertificates(event.certPEM)
+                if zErr != nil {
+                    log.warn("failed to store certificates: \(zErr!.localizedDescription)", function:"onEventCallback()")
+                } else {
+                    ziti.id.certCNs = certCNs
+                }
+            }
             // pass event to application
             mySelf.tunnelProvider?.tunnelEventCallback(event)
         default:

lib/ZitiTunnelEvent.swift

@@ -220,6 +220,9 @@ import CZitiPrivate
     /// CA bundle
     public var caBundle:String = ""
 
+    /// Certificte PEM (possibly multiple certificates)
+    public var certPEM:String = ""
+    
     init(_ ziti:Ziti, _ evt:UnsafePointer<config_event>) {
         super.init(ziti)
         var ziti_cfg_ptr:UnsafeMutablePointer<ziti_config>?
@@ -239,6 +242,7 @@ import CZitiPrivate
             }
         }
         self.caBundle = toStr(ziti_cfg_ptr?.pointee.id.ca)
+        self.certPEM = toStr(ziti_cfg_ptr?.pointee.id.cert)
     }
 
     /// Debug description
@@ -247,6 +251,7 @@ import CZitiPrivate
         return super.debugDescription + "\n" +
             "   controller_url: \(controllerUrl)\n" +
             "   contrlollers: \(controllers)\n" +
-            "   caBundle: \(caBundle)"
+            "   caBundle: \(caBundle)\n" +
+            "   cert: \(certPEM)"
     }
 }