Allow setting a certificate alias via restriction API.

schwabe · Apr 13, 2023 · 3c16028 · 3c16028
1 parent 9e59860
commit 3c16028
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 6 deletions.
diff --git a/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java b/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java
@@ -33,7 +33,6 @@ public class AppRestrictions {
  final static int CONFIG_VERSION = 1;
  static boolean alreadyChecked = false;
  private static AppRestrictions mInstance;
- private RestrictionsManager mRestrictionsMgr;
  private BroadcastReceiver mRestrictionsReceiver;
 
  private AppRestrictions(Context c) {
@@ -76,10 +75,10 @@ private String hashConfig(String config) {
  }
 
  private void applyRestrictions(Context c) {
- mRestrictionsMgr = (RestrictionsManager) c.getSystemService(Context.RESTRICTIONS_SERVICE);
- if (mRestrictionsMgr == null)
+ RestrictionsManager restrictionsMgr = (RestrictionsManager) c.getSystemService(Context.RESTRICTIONS_SERVICE);
+ if (restrictionsMgr == null)
  return;
- Bundle restrictions = mRestrictionsMgr.getApplicationRestrictions();
+ Bundle restrictions = restrictionsMgr.getApplicationRestrictions();
  if (restrictions == null)
  return;
 
@@ -116,6 +115,7 @@ private void applyRestrictions(Context c) {
  String uuid = p.getString("uuid");
  String ovpn = p.getString("ovpn");
  String name = p.getString("name");
+ String certAlias = p.getString("certificate_alias");
 
  if (uuid == null || ovpn == null || name == null) {
  VpnStatus.logError("App restriction profile misses uuid, ovpn or name key");
@@ -134,12 +134,15 @@ private void applyRestrictions(Context c) {
 
  if (vpnProfile != null) {
  // Profile exists, check if need to update it
- if (ovpnHash.equals(vpnProfile.importedProfileHash))
+ if (ovpnHash.equals(vpnProfile.importedProfileHash)) {
+ addCertificateAlias(vpnProfile, certAlias);
+
  // not modified skip to next profile
  continue;
-
+ }
  }
  addProfile(c, ovpn, uuid, name, vpnProfile);
+ addCertificateAlias(vpnProfile, certAlias);
  }
 
  Vector<VpnProfile> profilesToRemove = new Vector<>();
@@ -181,6 +184,28 @@ private void applyRestrictions(Context c) {
  }
  }
 
+ /**
+ * If certAlias is non-null will modify the profile type to use the keystore variant of
+ * the authentication method and will also set the keystore alias
+ */
+ private void addCertificateAlias(VpnProfile vpnProfile, String certAlias) {
+ if (certAlias == null)
+ return;
+
+ switch (vpnProfile.mAuthenticationType)
+ {
+ case VpnProfile.TYPE_PKCS12:
+ case VpnProfile.TYPE_CERTIFICATES:
+ vpnProfile.mAuthenticationType = VpnProfile.TYPE_KEYSTORE;
+ break;
+ case VpnProfile.TYPE_USERPASS_CERTIFICATES:
+ case VpnProfile.TYPE_USERPASS_PKCS12:
+ vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE;
+ break;
+ }
+ vpnProfile.mAlias = certAlias;
+ }
+
  private String prepare(String config) {
  String newLine = System.getProperty("line.separator");
  if (!config.contains(newLine) && !config.contains(" ")) {

diff --git a/main/src/main/res/values/untranslatable.xml b/main/src/main/res/values/untranslatable.xml
@@ -73,6 +73,8 @@
  <string name="apprest_name">Name</string>
  <string name="apprest_vpnlist">List of VPN configurations</string>
  <string name="apprest_vpnconf">VPN configuration</string>
+ <string name="apprest_certalias">Certificate Alias</string>
+ <string name="apprest_certalias_desc">Alias of a certificate in the Android keystore to use. Leave empty to not use the certificate store.</string>
  <string name="apprest_ver">Version of the managed configuration schema (Currently always 1)</string>
  <string name="apprest_defprof">UUID of the profile that should be selected as default profile in the app</string>
  <string name="privacy_policy">The app OpenVPN for Android does not communicate to any server other than the OpenVPN servers provided in configuration files. The author himself does not collect any data and no therefore also no data is saved. For the privacy policy for the OpenVPN server/VPN service you are using (or other services related to the project like GitHub), please refer to their respective privacy policy.</string>

diff --git a/main/src/main/res/xml/app_restrictions.xml b/main/src/main/res/xml/app_restrictions.xml
@@ -44,6 +44,12 @@
  android:description="@string/apprest_ovpn_desc"
  android:restrictionType="string"/>
 
+ <restriction
+ android:key="certificate_alias"
+ android:title="@string/apprest_certalias"
+ android:defaultValue=""
+ android:description="@string/apprest_certalias_desc"
+ android:restrictionType="string"/>
  <!--
  <restriction
  android:key="ovpn_list"