From e88f28b0ded04842c0753082d5d5bee9c8b1c4b2 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Sun, 1 Mar 2026 22:25:40 -0500
Subject: [PATCH] testing

---
 .gitignore |  2 ++
 piawg.sh   | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..21c28ac
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+ca.rsa.4096.crt
+.ca.rsa.4096.crt
diff --git a/piawg.sh b/piawg.sh
index d997c8b..55809f3 100755
--- a/piawg.sh
+++ b/piawg.sh
@@ -70,7 +70,7 @@ renew_token() {
 }
 
 # Check for required external commands
-for rbin in curl jq; do
+for rbin in curl jq openssl; do
 	command -v "$rbin" >/dev/null 2>&1 ||
 		err "Required binary '$rbin' not found"
 done
@@ -100,6 +100,8 @@ fi
 
 # Overridable defaults
 : "${PIA_API:=https://www.privateinternetaccess.com/api/client/v2/token}"
+: "${PIA_CRT:=https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt}"
+: "${PIA_HASH:=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70}"
 : "${BAO_AUTH_PATH:=approle}"
 : "${BAO_KV_MOUNT:=kv}"
 : "${BAO_PATH_LOGIN:=piawg/creds/login}"
@@ -144,4 +146,13 @@ elif ! check_http "$http_code"; then
 fi
 
 printf '%s\n' "$get_token_reply"
-exit 0
+
+# Download PIA RSA CA certificate
+if [ ! -f ./ca.rsa.4096.crt ]; then
+	[ -f ./.ca.rsa.4096.crt ] && rm ./.ca.rsa.4096.crt
+	curl -sS -o ./.ca.rsa.4096.crt "$PIA_CRT"
+	pia_file_hash="$(openssl x509 -in ./.ca.rsa.4096.crt -outform DER |
+		openssl dgst -sha256 -r | awk '{print $1}')"
+	[ "$pia_file_hash" != "$PIA_HASH" ] && err "PIA CA fingerprint mismatch"
+	mv ./.ca.rsa.4096.crt ./ca.rsa.4096.crt
+fi