From 49742738417fb3db7e60813ca170dffaab65c8c1 Mon Sep 17 00:00:00 2001
From: cyBerta <cyberta@riseup.net>
Date: Wed, 19 Jul 2023 12:51:59 +0200
Subject: always provide private VPN key over management interface, avoid
 exposing it in persisted openvpn config. The private key is stored encrypted
 instead

---
 app/src/main/java/de/blinkt/openvpn/VpnProfile.java   | 19 +++++++++++++++----
 .../java/de/blinkt/openvpn/core/ConfigParser.java     |  2 --
 .../java/de/blinkt/openvpn/core/VPNLaunchHelper.java  |  1 -
 3 files changed, 15 insertions(+), 7 deletions(-)

(limited to 'app/src/main/java/de/blinkt')

diff --git a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 9f722dfe..780ac9d8 100644
--- a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -76,6 +76,7 @@ import de.blinkt.openvpn.core.connection.Connection;
 import de.blinkt.openvpn.core.connection.ConnectionAdapter;
 import se.leap.bitmaskclient.BuildConfig;
 import se.leap.bitmaskclient.R;
+import se.leap.bitmaskclient.base.models.ProviderObservable;
 
 public class VpnProfile implements Serializable, Cloneable {
     // Note that this class cannot be moved to core where it belongs since
@@ -442,8 +443,9 @@ public class VpnProfile implements Serializable, Cloneable {
                 cfg.append(insertFileData("ca", mCaFilename));
 
                 // Client Cert + Key
-                cfg.append(insertFileData("key", mClientKeyFilename));
                 cfg.append(insertFileData("cert", mClientCertFilename));
+                mPrivateKey = ProviderObservable.getInstance().getCurrentProvider().getRSAPrivateKey();
+                cfg.append("management-external-key nopadding pkcs1 pss digest\n");
 
                 break;
             case VpnProfile.TYPE_USERPASS_PKCS12:
@@ -761,7 +763,7 @@ public class VpnProfile implements Serializable, Cloneable {
     public Intent prepareStartService(Context context) {
         Intent intent = getStartServiceIntent(context);
 
-        // TODO: Handle this?!
+        // This can remain outcommented for now, Bitmask uses VpnProfile.TYPE_CERTIFICATE
 //        if (mAuthenticationType == VpnProfile.TYPE_KEYSTORE || mAuthenticationType == VpnProfile.TYPE_USERPASS_KEYSTORE) {
 //            if (getKeyStoreCertificates(context) == null)
 //                return null;
@@ -843,6 +845,14 @@ public class VpnProfile implements Serializable, Cloneable {
         return ExtAuthHelper.getCertificateChain(context, mExternalAuthenticator, mAlias);
     }
 
+    /**
+     * returns an array certificates, depending on the profile type either from the keychain or an external cert provider
+     * @param context
+     * @return pem encoded certificates, where:
+     *  [0] is the ca cert
+     *  [1] is an optional extra cert
+     *  [2] is the vpn certificate
+     */
     public String[] getExternalCertificates(Context context) {
         return getExternalCertificates(context, 5);
     }
@@ -977,8 +987,9 @@ public class VpnProfile implements Serializable, Cloneable {
         if (mUseTLSAuth && TextUtils.isEmpty(mTLSAuthFilename))
             return R.string.missing_tlsauth;
 
-        if ((mAuthenticationType == TYPE_USERPASS_CERTIFICATES || mAuthenticationType == TYPE_CERTIFICATES)
-                && (TextUtils.isEmpty(mClientCertFilename) || TextUtils.isEmpty(mClientKeyFilename)))
+        if ((mAuthenticationType == TYPE_USERPASS_CERTIFICATES &&
+                (TextUtils.isEmpty(mClientCertFilename) || (TextUtils.isEmpty(mClientKeyFilename)))) ||
+                mAuthenticationType == TYPE_CERTIFICATES && TextUtils.isEmpty(mClientCertFilename))
             return R.string.missing_certificates;
 
         if ((mAuthenticationType == TYPE_CERTIFICATES || mAuthenticationType == TYPE_USERPASS_CERTIFICATES)
diff --git a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index e8d333e3..ff27a5a2 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -70,9 +70,7 @@ public class ConfigParser {
             "management",
             "management-client",
             "management-query-remote",
-            "management-query-passwords",
             "management-query-proxy",
-            "management-external-key",
             "management-forget-disconnect",
             "management-signal",
             "management-log-cache",
diff --git a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
index 80427a03..67636762 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
@@ -5,7 +5,6 @@
 
 package de.blinkt.openvpn.core;
 
-import android.annotation.TargetApi;
 import android.content.Context;
 import android.os.Build;
 
-- 
cgit v1.2.3