Parse multiple ca certs in <ca> for android device key configurations (closes #426)

3 files changed, 29 insertions, 17 deletions

diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 09fc21ae..ebcf9342 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -768,11 +768,12 @@ public class VpnProfile implements Serializable, Cloneable {
             String caout = null;
             if (!TextUtils.isEmpty(mCaFilename)) {
                 try {
-                    Certificate cacert = X509Utils.getCertificateFromFile(mCaFilename);
+                    Certificate[] cacerts = X509Utils.getCertificatesFromFile(mCaFilename);
                     StringWriter caoutWriter = new StringWriter();
                     PemWriter pw = new PemWriter(caoutWriter);
 
-                    pw.writeObject(new PemObject("CERTIFICATE", cacert.getEncoded()));
+                    for (Certificate cert: cacerts)
+                        pw.writeObject(new PemObject("CERTIFICATE", cert.getEncoded()));
                     pw.close();
                     caout= caoutWriter.toString();
 
@@ -844,8 +845,14 @@ public class VpnProfile implements Serializable, Cloneable {
             if (mIPv4Address == null || cidrToIPAndNetmask(mIPv4Address) == null)
                 return R.string.ipv4_format_error;
         }
-        if (!mUseDefaultRoute && (getCustomRoutes(mCustomRoutes).size() == 0|| getCustomRoutes(mExcludedRoutes).size() == 0))
-            return R.string.custom_route_format_error;
+        if (!mUseDefaultRoute) {
+            if (!TextUtils.isEmpty(mCustomRoutes) &&  getCustomRoutes(mCustomRoutes).size() == 0 )
+                return R.string.custom_route_format_error;
+
+            if (!TextUtils.isEmpty(mExcludedRoutes) &&  getCustomRoutes(mExcludedRoutes).size() == 0 )
+                return R.string.custom_route_format_error;
+
+        }
 
         boolean noRemoteEnabled = true;
         for (Connection c : mConnections)
diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index 5b8cb2dd..86230a52 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -400,7 +400,8 @@ public class ConfigParser {
         }
 
         Vector<String> routeNoPull = getOption("route-nopull", 1, 1);
-        np.mRoutenopull=true;
+        if (routeNoPull!=null)
+            np.mRoutenopull=true;
 
         // Also recognize tls-auth [inline] direction ...
         Vector<Vector<String>> tlsauthoptions = getAllOption("tls-auth", 1, 2);
diff --git a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
index 9bc5ac97..7d72e33f 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
@@ -25,31 +25,35 @@ import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
-import java.text.DateFormat;
-import java.util.Calendar;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.Hashtable;
+import java.util.Vector;
 
 public class X509Utils {
-	public static Certificate getCertificateFromFile(String certfilename) throws FileNotFoundException, CertificateException {
+	public static Certificate[] getCertificatesFromFile(String certfilename) throws FileNotFoundException, CertificateException {
 		CertificateFactory certFact = CertificateFactory.getInstance("X.509");
 
-		InputStream inStream;
-
+        Vector<Certificate> certificates = new Vector<>();
 		if(VpnProfile.isEmbedded(certfilename)) {
-            // The java certifcate reader is ... kind of stupid
-            // It does NOT ignore chars before the --BEGIN ...
             int subIndex = certfilename.indexOf("-----BEGIN CERTIFICATE-----");
-            subIndex = Math.max(0,subIndex);
-			inStream = new ByteArrayInputStream(certfilename.substring(subIndex).getBytes());
+            do {
+                // The java certifcate reader is ... kind of stupid
+                // It does NOT ignore chars before the --BEGIN ...
 
+                subIndex = Math.max(0, subIndex);
+                InputStream inStream = new ByteArrayInputStream(certfilename.substring(subIndex).getBytes());
+                certificates.add(certFact.generateCertificate(inStream));
 
+                subIndex = certfilename.indexOf("-----BEGIN CERTIFICATE-----", subIndex+1);
+            } while (subIndex > 0);
+            return certificates.toArray(new Certificate[certificates.size()]);
         } else {
-			inStream = new FileInputStream(certfilename);
+			InputStream inStream = new FileInputStream(certfilename);
+            return new Certificate[] {certFact.generateCertificate(inStream)};
         }
 
 
-		return certFact.generateCertificate(inStream);
 	}
 
 	public static PemObject readPemObjectFromFile (String keyfilename) throws IOException {
@@ -73,7 +77,7 @@ public class X509Utils {
 	public static String getCertificateFriendlyName (Context c, String filename) {
 		if(!TextUtils.isEmpty(filename)) {
 			try {
-				X509Certificate cert = (X509Certificate) getCertificateFromFile(filename);
+				X509Certificate cert = (X509Certificate) getCertificatesFromFile(filename)[0];
                 String friendlycn = getCertificateFriendlyName(cert);
                 friendlycn = getCertificateValidityString(cert, c.getResources()) + friendlycn;
                 return friendlycn;