keep identity certificates in ZitiIdentity

Author: scareything

lib/Ziti.swift

@@ -329,12 +329,13 @@ import CZitiPrivate
                 return
             }
 
-            // Store certificate
-            let cert = dropFirst("pem:", resp.id.cert)
+            // Store certificates
+            let certs = dropFirst("pem:", resp.id.cert)
             _ = zkc.deleteCertificate(silent: true)
-            let (err, cns) = zkc.storeCertificates(cert)
-            guard err == nil else {
-                let errStr = "Unable to store certificates\n"
+            // storeCertificate only stores the first (leaf) certificate in the pem. that's ok - the full chain of certs is stored in the .zid
+            // file. only the leaf/pubkey needs to be in the keychain.
+            guard zkc.storeCertificate(fromPem: certs) == nil else {
+                let errStr = "Unable to store certificate\n"
                 log.error(errStr, function:"enroll()")
                 enrollCallback(nil, ZitiError(errStr))
                 return
@@ -346,8 +347,8 @@ import CZitiPrivate
                 ca = dropFirst("pem:", idCa)
             }
 
-            let zid = ZitiIdentity(id: subj, ztAPIs: resp.ztAPIs, certCNs: cns, ca: ca)
-            log.info("Enrolled id:\(subj) with controller: \(zid.ztAPI) with cns: \(zid.getCertCNs())", function:"enroll()")
+            let zid = ZitiIdentity(id: subj, ztAPIs: resp.ztAPIs, certs: certs, ca: ca)
+            log.info("Enrolled id:\(subj) with controller: \(zid.ztAPI)", function:"enroll()")
 
             enrollCallback(zid, nil)
         }
@@ -384,14 +385,12 @@ import CZitiPrivate
     @objc public func run(_ postureChecks:ZitiPostureChecks?, _ initCallback: @escaping InitCallback) {
         // Get certificate
         let zkc = ZitiKeychain(tag: id.id)
-        let (maybeCerts, zErr) = zkc.getCertificates(id.getCertCNs())
-        guard let certs = maybeCerts, zErr == nil else {
-            let errStr = zErr != nil ? zErr!.localizedDescription : "unable to retrieve certificates from keychain"
+        guard let certPEM = id.getCertificates(zkc) else {
+            let errStr = "unable to retrieve certificates"
             log.error(errStr)
-            initCallback(zErr ?? ZitiError(errStr))
+            initCallback(ZitiError(errStr))
             return
         }
-        let certPEM = zkc.convertToPEM("CERTIFICATE", ders: certs)
 
         // Get private key
         guard let privKey = zkc.getPrivateKey() else {
@@ -902,17 +901,20 @@ import CZitiPrivate
 
         // update ourself
         if event.type == ZitiEvent.EventType.ConfigEvent {
-            mySelf.id.ztAPI = event.configEvent!.controllerUrl
-            mySelf.id.ztAPIs = event.configEvent!.controllers
-            let zkc = ZitiKeychain(tag: mySelf.id.id)
-            _ = zkc.deleteCertificate()
-            let (zErr, certCNs) = zkc.storeCertificates(event.configEvent!.cert)
-            if zErr != nil {
-                log.warn("failed to store certificates: \(zErr!.localizedDescription)", function:"onEvent()")
-            } else {
-                mySelf.id.certCNs = certCNs
+            let cfgEvent = event.configEvent!
+            if !cfgEvent.controllerUrl.isEmpty { mySelf.id.ztAPI = cfgEvent.controllerUrl }
+            if !cfgEvent.controllers.isEmpty { mySelf.id.ztAPIs = cfgEvent.controllers }
+            if !cfgEvent.cert.isEmpty {
+                mySelf.id.certs = cfgEvent.cert
+                let zkc = ZitiKeychain(tag: mySelf.id.id)
+                _ = zkc.deleteCertificate()
+                // store the first/leaf certificate in the keychain so it can be used in a key pair.
+                let zErr = zkc.storeCertificate(fromPem: event.configEvent!.cert)
+                if zErr != nil {
+                    log.warn("failed to store certificate: \(zErr!.localizedDescription)", function:"onEvent()")
+                }
             }
-            mySelf.id.ca = event.configEvent!.caBundle
+            if !cfgEvent.caBundle.isEmpty { mySelf.id.ca = cfgEvent.caBundle }
         }
 
         mySelf.eventCallbacksLock.lock()

lib/ZitiIdentity.swift

@@ -34,12 +34,12 @@ import Foundation
     /// Initially the `sub` field from the  one-time enrollment JWT.  Used by `Ziti` to store and retrieve identity-related items in the Keychain
     @objc public let id:String
 
-    /// Certificate CNs
-    ///
-    /// Common names for the certificates in this identities certificate chain. The first element will always match `id`.
-    /// Used by `Ziti` to retrieve certificates from the Keychain.
-    @objc public var certCNs:[String]?
-
+    /// Common names for the certificates in this identities certificate chain.
+    /// This is only set when the identity is decoded from an older representation. When `certs` is not set, this value can be used to
+    /// retrieve the identity's certificates from the Keychain.
+    @available(*, deprecated, message: "store certificates in `certs` instead")
+    @objc private var certCNs:[String]?
+    
     /// scheme, host, and port used to communicate with Ziti controller
     @objc public var ztAPI:String
 
@@ -51,6 +51,9 @@ import Foundation
     /// Note that this name is unknown until a session with Ziti is active
     @objc public var name:String?
 
+    /// Certificates (PEM)
+    @objc public var certs:String?
+
     /// CA pool verified as part of enrollment that can be used to establish trust with of the  Ziti controller
     @objc public var ca:String?
 
@@ -65,23 +68,29 @@ import Foundation
     ///     - certCNs: common names of certififcates 
     ///     - name: name currently configured for this identity
     ///     - ca: CA pool that can be used to verify trust of the Ziti controller
-    @objc public init(id:String, ztAPIs:[String], certCNs:[String]?=nil, name:String?=nil, ca:String?=nil) {
+    @objc public init(id:String, ztAPIs:[String], name:String?=nil, certs:String?=nil, ca:String?=nil) {
         self.id = id
-        self.certCNs = [ id ]
-        if let certCNs {
-            for cn in certCNs {
-                if cn == id { continue }
-                self.certCNs?.append(cn)
-            }
-        }
         self.ztAPI = ztAPIs.first ?? ""
         self.ztAPIs = ztAPIs
         self.name = name
+        self.certs = certs
         self.ca = ca
     }
 
-    @objc public func getCertCNs() -> [String] {
-        return certCNs ?? [self.id]
+    @objc public func getCertificates(_ zkc:ZitiKeychain?) -> String? {
+        if let certs = self.certs {
+            log.debug("returning certificates from identity")
+            return certs
+        }
+        // get certs using certCNs and the keychain if available.
+        let certCNs = self.certCNs ?? [self.id]
+        if let ders = zkc?.getCertificates(certCNs) {
+            log.debug("returning certfificates from keychain CNs=\(certCNs)")
+            self.certs = zkc?.convertToPEM("CERTIFICATE", ders: ders)
+            self.certCNs = nil
+            return self.certs
+        }
+        return nil
     }
 
     /// Save this object to a JSON file

lib/ZitiKeychain.swift

@@ -257,8 +257,8 @@ public class ZitiKeychain : NSObject {
         return sceStatus
     }
 #endif
-    
-    @available(*, deprecated, message: "This function only stores the first certificate in `pem`. Use storeCertificates(pem:String) to store all certificates.")
+
+    /// This function only stores the first certificate in `pem`. use storeCertificates(pem:String) if you need to store all certificates in the keychain.
     func storeCertificate(fromPem pem:String) -> ZitiError? {
         let (_, zErr) = storeCertificate(fromDer: convertToDER(pem))
         if zErr != nil {
@@ -267,7 +267,6 @@ public class ZitiKeychain : NSObject {
         return zErr
     }
 
-    @available(*, deprecated)
     func storeCertificate(fromDer der:Data) -> (SecCertificate?, ZitiError?) {
         guard let certificate = SecCertificateCreateWithData(nil, der as CFData) else {
             let errStr = "Unable to create certificate from data for \(tag)"
@@ -316,17 +315,17 @@ public class ZitiKeychain : NSObject {
         return (certData, nil)
     }
 
-    func getCertificates(_ certCNs:[String]) -> ([Data]?, ZitiError?) {
+    func getCertificates(_ certCNs:[String]) -> [Data]? {
         var certs:[Data] = []
         for cn in certCNs {
             let (cert, err) = getCertificate(cn)
             guard let cert = cert, err == nil else {
-                return (nil, err)
+                return nil
             }
             certs.append(cert)
         }
 
-        return (certs, nil)
+        return certs
     }
 
     func deleteCertificate(silent:Bool=false) -> ZitiError? {
@@ -362,12 +361,13 @@ public class ZitiKeychain : NSObject {
         return nil
     }
 
-    func convertToPEM(_ type:String, ders:[Data]) -> String {
+    func convertToPEM(_ type:String, ders:[Data]) -> String? {
         var pem = ""
         ders.forEach { der in
-            pem.append(convertToPEM("CERTIFICATE", der: der))
+            pem.append(convertToPEM(type, der: der))
         }
-        return pem
+        if pem.count > 0 { return pem }
+        return nil
     }
 
     func convertToPEM(_ type:String, der:Data) -> String {

lib/ZitiTunnel.swift

@@ -350,13 +350,13 @@ public class ZitiTunnel : NSObject, ZitiUnretained {
                 ziti.id.ca = event.caBundle
             }
             if !event.certPEM.isEmpty {
+                ziti.id.certs = event.certPEM
+                // store the first/leaf certificate in the keychain so it can be used in a key pair.
                 let zkc = ZitiKeychain(tag: ziti.id.id)
                 _ = zkc.deleteCertificate()
-                let (zErr, certCNs) = zkc.storeCertificates(event.certPEM)
+                let zErr = zkc.storeCertificate(fromPem: event.certPEM)
                 if zErr != nil {
                     log.warn("failed to store certificates: \(zErr!.localizedDescription)", function:"onEventCallback()")
-                } else {
-                    ziti.id.certCNs = certCNs
                 }
             }
             // pass event to application