From b9e1f2354520e37f0e2784f156f1288e55e1a993 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:29:15 +0200 Subject: update soon expiring vpn certificates after connecting to the VPN --- .../main/java/se/leap/bitmaskclient/eip/EIP.java | 19 +++++++++++++++ .../leap/bitmaskclient/eip/EipSetupObserver.java | 8 +++++++ .../bitmaskclient/eip/VpnCertificateValidator.java | 27 ++++++++++++++++------ 3 files changed, 47 insertions(+), 7 deletions(-) (limited to 'app/src/main/java/se/leap/bitmaskclient/eip') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java b/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java index cf4dc9bf..46f91781 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java @@ -56,6 +56,7 @@ import de.blinkt.openvpn.core.VpnStatus; import de.blinkt.openvpn.core.connection.Connection; import se.leap.bitmaskclient.R; import se.leap.bitmaskclient.base.OnBootReceiver; +import se.leap.bitmaskclient.base.models.Provider; import se.leap.bitmaskclient.base.models.ProviderObservable; import se.leap.bitmaskclient.base.utils.PreferenceHelper; @@ -242,6 +243,12 @@ public final class EIP extends JobIntentService implements Observer { return; } + if (shouldUpdateVPNCertificate()) { + Provider p = ProviderObservable.getInstance().getCurrentProvider(); + p.setShouldUpdateVpnCertificate(true); + ProviderObservable.getInstance().updateProvider(p); + } + GatewaysManager gatewaysManager = new GatewaysManager(getApplicationContext()); if (gatewaysManager.isEmpty()) { setErrorResult(result, warning_client_parsing_error_gateways, null); @@ -267,6 +274,12 @@ public final class EIP extends JobIntentService implements Observer { Gateway gateway = gatewaysManager.select(0); Bundle result = new Bundle(); + if (shouldUpdateVPNCertificate()) { + Provider p = ProviderObservable.getInstance().getCurrentProvider(); + p.setShouldUpdateVpnCertificate(true); + ProviderObservable.getInstance().updateProvider(p); + } + launchActiveGateway(gateway, 0, result); if (result.containsKey(BROADCAST_RESULT_KEY) && !result.getBoolean(BROADCAST_RESULT_KEY)){ VpnStatus.logWarning("ALWAYS-ON VPN: " + getString(R.string.no_vpn_profiles_defined)); @@ -415,6 +428,12 @@ public final class EIP extends JobIntentService implements Observer { return validator.isValid(); } + private boolean shouldUpdateVPNCertificate() { + VpnCertificateValidator validator = new VpnCertificateValidator(preferences.getString(PROVIDER_VPN_CERTIFICATE, "")); + return validator.shouldBeUpdated(); + } + + /** * helper function to add error to result bundle * diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index 9d67340e..56350703 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -39,12 +39,14 @@ import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_PROFILE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_EIP_SERVICE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_UPDATED_INVALID_VPN_CERTIFICATE; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.DELAY; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_EIP_SERVICE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_UPDATED_INVALID_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_NOK; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_OK; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.QUIETLY_UPDATE_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.TOR_EXCEPTION; import static se.leap.bitmaskclient.providersetup.ProviderAPI.TOR_TIMEOUT; import static se.leap.bitmaskclient.providersetup.ProviderAPI.UPDATE_INVALID_VPN_CERTIFICATE; @@ -373,6 +375,12 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta if (shouldCheckAppUpdate()) { DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE); } + + if (provider.shouldUpdateVpnCertificate()) { + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + ProviderAPICommand.execute(appContext, QUIETLY_UPDATE_VPN_CERTIFICATE, parameters, provider); + } finishGatewaySetup(false); } else if ("TCP_CONNECT".equals(state)) { changingGateway.set(false); diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java index 16d1c5ad..8841ae94 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java @@ -45,9 +45,22 @@ public class VpnCertificateValidator { /** * - * @return true if all certificates are valid for more than 15 more days + * @return true if all certificates are valid for 1 more day */ public boolean isValid() { + return isValid(1); + } + + /** + * + * @return return true if certificates will expire in 8 days or less + */ + public boolean shouldBeUpdated() { + return !isValid(8); + } + + + private boolean isValid(int offsetDays) { if (certificate.isEmpty()) { return false; } @@ -57,7 +70,7 @@ public class VpnCertificateValidator { return false; } for (X509Certificate cert : x509Certificates) { - if (!isValid(cert)) { + if (!isValid(cert, offsetDays)) { return false; } } @@ -65,12 +78,12 @@ public class VpnCertificateValidator { } - private boolean isValid(X509Certificate certificate) { + private boolean isValid(X509Certificate certificate, int offsetDays) { if (certificate == null) { return false; } - Calendar offsetDate = calculateOffsetCertificateValidity(certificate); + Calendar offsetDate = calculateOffsetCertificateValidity(certificate, offsetDays); try { certificate.checkValidity(offsetDate.getTime()); return true; @@ -81,15 +94,15 @@ public class VpnCertificateValidator { } } - private Calendar calculateOffsetCertificateValidity(X509Certificate certificate) { + private Calendar calculateOffsetCertificateValidity(X509Certificate certificate, int offsetDays) { Calendar limitDate = calendarProvider.getCalendar(); Date startDate = certificate.getNotBefore(); // if certificates start date is before current date just return the current date without an offset if (startDate.getTime() >= limitDate.getTime().getTime()) { return limitDate; } - // else add an offset of 15 days to the current date - limitDate.add(Calendar.DAY_OF_YEAR, 15); + // else add an offset to the current date + limitDate.add(Calendar.DAY_OF_YEAR, offsetDays); return limitDate; } -- cgit v1.2.3 From ea0e8e4d5ef61af57ef5826d7526f0bfc4c459b2 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:37:02 +0200 Subject: update eip-service.json every 3 days or after a unsuccessful connection attempt, use a small delay to ensure the VPN is ready for the first network request --- app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap/bitmaskclient/eip') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index 56350703..a523f440 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -373,7 +373,9 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta } if (shouldCheckAppUpdate()) { - DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE); + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE, parameters); } if (provider.shouldUpdateVpnCertificate()) { -- cgit v1.2.3 From 512030e22fda6eadb69d4f486241490670d7bab1 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:46:46 +0200 Subject: implement small delay to check for version updates after a successful connection setup --- app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap/bitmaskclient/eip') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index a523f440..05991390 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -369,7 +369,9 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta Provider provider = ProviderObservable.getInstance().getCurrentProvider(); if (setupNClosestGateway.get() > 0 || provider.shouldUpdateEipServiceJson()) { //setupNClostestGateway > 0: at least one failed gateway -> did the provider change it's gateways? - ProviderAPICommand.execute(appContext, ProviderAPI.DOWNLOAD_SERVICE_JSON, provider); + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + ProviderAPICommand.execute(appContext, ProviderAPI.DOWNLOAD_SERVICE_JSON, parameters, provider); } if (shouldCheckAppUpdate()) { -- cgit v1.2.3