From 083f4095319b734f33f3e28a9f3234ff9cf6a7d7 Mon Sep 17 00:00:00 2001 From: "kali kaneko (leap communications)" Date: Mon, 17 May 2021 12:53:24 +0200 Subject: [feat] reuse certificate if found in config folder --- pkg/vpn/certs.go | 34 ++++++++++++++++++++++++++++++++++ pkg/vpn/main.go | 2 +- pkg/vpn/openvpn.go | 34 ++++++++++++++++++++++------------ 3 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 pkg/vpn/certs.go (limited to 'pkg/vpn') diff --git a/pkg/vpn/certs.go b/pkg/vpn/certs.go new file mode 100644 index 0000000..300871e --- /dev/null +++ b/pkg/vpn/certs.go @@ -0,0 +1,34 @@ +package vpn + +import ( + "crypto/x509" + "encoding/pem" + "io/ioutil" + "log" + "time" +) + +func isValidCert(path string) bool { + data, err := ioutil.ReadFile(path) + if err != nil { + return false + } + // skip private key, but there should be one + _, rest := pem.Decode(data) + certBlock, rest := pem.Decode(rest) + if len(rest) != 0 { + log.Println("ERROR bad cert data") + return false + } + cert, err := x509.ParseCertificate(certBlock.Bytes) + loc, _ := time.LoadLocation("UTC") + expires := cert.NotAfter + tomorrow := time.Now().In(loc).Add(24 * time.Hour) + + if !expires.After(tomorrow) { + return false + } else { + log.Println("DEBUG We have a valid cert:", path) + return true + } +} diff --git a/pkg/vpn/main.go b/pkg/vpn/main.go index f40366c..826e5d4 100644 --- a/pkg/vpn/main.go +++ b/pkg/vpn/main.go @@ -68,7 +68,7 @@ func Init() (*Bitmask, error) { } */ - err = ioutil.WriteFile(b.getCaCertPath(), config.CaCert, 0600) + err = ioutil.WriteFile(b.getTempCaCertPath(), config.CaCert, 0600) go b.openvpnManagement() return &b, err diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go index 4dad0e2..7cfa101 100644 --- a/pkg/vpn/openvpn.go +++ b/pkg/vpn/openvpn.go @@ -22,9 +22,11 @@ import ( "log" "os" "path" + "path/filepath" "strconv" "strings" + "0xacab.org/leap/bitmask-vpn/pkg/config" "0xacab.org/leap/shapeshifter" ) @@ -167,7 +169,7 @@ func (b *Bitmask) startOpenVPN() error { "--verb", "3", "--management-client", "--management", openvpnManagementAddr, openvpnManagementPort, - "--ca", b.getCaCertPath(), + "--ca", b.getTempCaCertPath(), "--cert", b.certPemPath, "--key", b.certPemPath, "--persist-tun") @@ -175,17 +177,25 @@ func (b *Bitmask) startOpenVPN() error { } func (b *Bitmask) getCert() (certPath string, err error) { - certPath = b.getCertPemPath() - - if _, err := os.Stat(certPath); os.IsNotExist(err) { - log.Println("Fetching certificate to", certPath) - cert, err := b.bonafide.GetPemCertificate() - if err != nil { - return "", err + persistentCertFile := filepath.Join(config.Path, strings.ToLower(config.Provider)+".pem") + if _, err := os.Stat(persistentCertFile); !os.IsNotExist(err) && isValidCert(persistentCertFile) { + // reuse cert. for the moment we're not writing one there, this is + // only to allow users to get certs off-band and place them there + // as a last-resort fallback for circumvention. + certPath = persistentCertFile + err = nil + } else { + // download one fresh + certPath = b.getTempCertPemPath() + if _, err := os.Stat(certPath); os.IsNotExist(err) { + log.Println("Fetching certificate to", certPath) + cert, err := b.bonafide.GetPemCertificate() + if err != nil { + return "", err + } + err = ioutil.WriteFile(certPath, cert, 0600) } - err = ioutil.WriteFile(certPath, cert, 0600) } - return certPath, err } @@ -299,10 +309,10 @@ func (b *Bitmask) UseTransport(transport string) error { return nil } -func (b *Bitmask) getCertPemPath() string { +func (b *Bitmask) getTempCertPemPath() string { return path.Join(b.tempdir, "openvpn.pem") } -func (b *Bitmask) getCaCertPath() string { +func (b *Bitmask) getTempCaCertPath() string { return path.Join(b.tempdir, "cacert.pem") } -- cgit v1.2.3