testing

.gitignore

@@ -0,0 +1,2 @@
+ca.rsa.4096.crt
+.ca.rsa.4096.crt

piawg.sh

@@ -70,7 +70,7 @@ renew_token() {
 }
 
 # Check for required external commands
-for rbin in curl jq; do
+for rbin in curl jq openssl; do
 	command -v "$rbin" >/dev/null 2>&1 ||
 		err "Required binary '$rbin' not found"
 done
@@ -100,6 +100,8 @@ fi
 
 # Overridable defaults
 : "${PIA_API:=https://www.privateinternetaccess.com/api/client/v2/token}"
+: "${PIA_CRT:=https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt}"
+: "${PIA_HASH:=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70}"
 : "${BAO_AUTH_PATH:=approle}"
 : "${BAO_KV_MOUNT:=kv}"
 : "${BAO_PATH_LOGIN:=piawg/creds/login}"
@@ -144,4 +146,13 @@ elif ! check_http "$http_code"; then
 fi
 
 printf '%s\n' "$get_token_reply"
-exit 0
+
+# Download PIA RSA CA certificate
+if [ ! -f ./ca.rsa.4096.crt ]; then
+	[ -f ./.ca.rsa.4096.crt ] && rm ./.ca.rsa.4096.crt
+	curl -sS -o ./.ca.rsa.4096.crt "$PIA_CRT"
+	pia_file_hash="$(openssl x509 -in ./.ca.rsa.4096.crt -outform DER |
+		openssl dgst -sha256 -r | awk '{print $1}')"
+	[ "$pia_file_hash" != "$PIA_HASH" ] && err "PIA CA fingerprint mismatch"
+	mv ./.ca.rsa.4096.crt ./ca.rsa.4096.crt
+fi