Minimum set of changes to get working with the new nebula cert apis

Author: nbrownus

android/app/src/main/kotlin/net/defined/mobile_nebula/NebulaVpnService.kt

@@ -100,7 +100,7 @@ class NebulaVpnService : VpnService() {
         val ipNet: CIDR
 
         try {
-            ipNet = mobileNebula.MobileNebula.parseCIDR(site!!.cert!!.cert.details.ips[0])
+            ipNet = mobileNebula.MobileNebula.parseCIDR(site!!.cert!!.cert.details.networks[0])
         } catch (err: Exception) {
             return announceExit(site!!.id, err.message ?: "$err")
         }
@@ -214,7 +214,7 @@ class NebulaVpnService : VpnService() {
     }
 
     private fun registerReloadReceiver() {
-        ContextCompat.registerReceiver(this, reloadReceiver, IntentFilter(ACTION_RELOAD), RECEIVER_NOT_EXPORTED)
+        ContextCompat.registerReceiver(this, reloadReceiver, IntentFilter(ACTION_RELOAD), ContextCompat.RECEIVER_NOT_EXPORTED)
     }
 
     private fun unregisterReloadReceiver() {

android/app/src/main/kotlin/net/defined/mobile_nebula/Sites.kt

@@ -165,8 +165,8 @@ data class CertificateDetails(
     val notAfter: String,
     val publicKey: String,
     val groups: List<String>,
-    val ips: List<String>,
-    val subnets: List<String>,
+    val networks: List<String>,
+    val unsafeNetworks: List<String>,
     val isCa: Boolean,
     val issuer: String
 )

ios/NebulaNetworkExtension/PacketTunnelProvider.swift

@@ -87,7 +87,7 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
 
     // Make sure our ip is routed to the tun device
     var err: NSError?
-    let ipNet = MobileNebulaParseCIDR(_site.cert!.cert.details.ips[0], &err)
+    let ipNet = MobileNebulaParseCIDR(_site.cert!.cert.details.networks[0], &err)
     if err != nil {
       throw err!
     }

ios/NebulaNetworkExtension/Site.swift

@@ -102,8 +102,8 @@ struct CertificateDetails: Codable {
   var notAfter: String
   var publicKey: String
   var groups: [String]
-  var ips: [String]
-  var subnets: [String]
+  var networks: [String]
+  var unsafeNetworks: [String]
   var isCa: Bool
   var issuer: String
 
@@ -114,8 +114,8 @@ struct CertificateDetails: Codable {
     notAfter = ""
     publicKey = ""
     groups = []
-    ips = ["ERROR"]
-    subnets = []
+    networks = ["ERROR"]
+    unsafeNetworks = []
     isCa = false
     issuer = ""
   }

ios/Runner.xcodeproj/project.pbxproj

@@ -288,7 +288,7 @@
 			attributes = {
 				BuildIndependentTargetsInParallel = YES;
 				LastSwiftUpdateCheck = 1140;
-				LastUpgradeCheck = 1600;
+				LastUpgradeCheck = 1510;
 				ORGANIZATIONNAME = "The Chromium Authors";
 				TargetAttributes = {
 					43AA89532444DA6500EDC39C = {

ios/Runner.xcodeproj/xcshareddata/xcschemes/Runner.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1600"
+   LastUpgradeVersion = "1510"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -66,6 +66,7 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       debugServiceExtension = "internal"
+      enableGPUValidationMode = "1"
       allowLocationSimulation = "YES">
       <BuildableProductRunnable
          runnableDebuggingMode = "0">

lib/components/SimplePage.dart

@@ -79,7 +79,7 @@ class SimplePage extends StatelessWidget {
     }
 
     if (addScrollbar) {
-      realChild = Scrollbar(child: realChild);
+      realChild = Scrollbar(controller: scrollController, child: realChild);
     }
 
     if (alignment != null) {

lib/models/Certificate.dart

@@ -36,8 +36,8 @@ class CertificateDetails {
   DateTime notAfter;
   String publicKey;
   List<String> groups;
-  List<String> ips;
-  List<String> subnets;
+  List<String> networks;
+  List<String> unsafeNetworks;
   bool isCa;
   String issuer;
 
@@ -47,8 +47,8 @@ class CertificateDetails {
       notAfter = DateTime.now(),
       publicKey = "",
       groups = [],
-      ips = [],
-      subnets = [],
+      networks = [],
+      unsafeNetworks = [],
       isCa = false,
       issuer = "DEBUG";
 
@@ -58,8 +58,8 @@ class CertificateDetails {
       notAfter = DateTime.parse(json['notAfter']),
       publicKey = json['publicKey'],
       groups = List<String>.from(json['groups']),
-      ips = List<String>.from(json['ips']),
-      subnets = List<String>.from(json['subnets']),
+      networks = List<String>.from(json['networks']),
+      unsafeNetworks = List<String>.from(json['unsafeNetworks']),
       isCa = json['isCa'],
       issuer = json['issuer'];
 }

lib/screens/siteConfig/CertificateDetailsScreen.dart

@@ -124,12 +124,12 @@ class _CertificateDetailsScreenState extends State<CertificateDetailsScreen> {
       items.add(ConfigItem(label: Text('Groups'), content: SelectableText(certInfo.cert.details.groups.join(', '))));
     }
 
-    if (certInfo.cert.details.ips.isNotEmpty) {
-      items.add(ConfigItem(label: Text('IPs'), content: SelectableText(certInfo.cert.details.ips.join(', '))));
+    if (certInfo.cert.details.networks.isNotEmpty) {
+      items.add(ConfigItem(label: Text('Networks'), content: SelectableText(certInfo.cert.details.networks.join(', '))));
     }
 
-    if (certInfo.cert.details.subnets.isNotEmpty) {
-      items.add(ConfigItem(label: Text('Subnets'), content: SelectableText(certInfo.cert.details.subnets.join(', '))));
+    if (certInfo.cert.details.unsafeNetworks.isNotEmpty) {
+      items.add(ConfigItem(label: Text('Unsafe Networks'), content: SelectableText(certInfo.cert.details.unsafeNetworks.join(', '))));
     }
 
     return items.isNotEmpty

nebula/api.go

@@ -2,6 +2,9 @@ package mobileNebula
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -62,7 +65,7 @@ func (c *APIClient) Enroll(code string) (*EnrollResult, error) {
 		return nil, fmt.Errorf("unexpected failure: %s", err)
 	}
 
-	site, err := newDNSite(meta.OrganizationName, cfg, string(pkey), *creds)
+	site, err := newDNSite(meta.Org.Name, cfg, string(pkey), *creds)
 	if err != nil {
 		return nil, fmt.Errorf("failure generating site: %s", err)
 	}
@@ -106,7 +109,7 @@ func (c *APIClient) TryUpdate(siteName string, hostID string, privateKey string,
 	defer cancel()
 	updateAvailable, err := c.c.CheckForUpdate(ctx, creds)
 	switch {
-	case errors.As(err, &dnapi.InvalidCredentialsError{}):
+	case errors.As(err, &dnapi.ErrInvalidCredentials):
 		return nil, InvalidCredentialsError{}
 	case err != nil:
 		return nil, fmt.Errorf("CheckForUpdate error: %s", err)
@@ -119,9 +122,9 @@ func (c *APIClient) TryUpdate(siteName string, hostID string, privateKey string,
 	// Perform the update and return the new site object
 	updateCtx, updateCancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer updateCancel()
-	cfg, pkey, newCreds, err := c.c.DoUpdate(updateCtx, creds)
+	cfg, pkey, newCreds, _, err := c.c.DoUpdate(updateCtx, creds)
 	switch {
-	case errors.As(err, &dnapi.InvalidCredentialsError{}):
+	case errors.As(err, &dnapi.ErrInvalidCredentials):
 		return nil, InvalidCredentialsError{}
 	case err != nil:
 		return nil, fmt.Errorf("DoUpdate error: %s", err)
@@ -144,12 +147,25 @@ func unmarshalHostPrivateKey(b []byte) (keys.PrivateKey, []byte, error) {
 	k, r, err := keys.UnmarshalHostPrivateKey(b)
 	if err != nil {
 		// We used to use a Nebula PEM header for these keys, so try that as a fallback
-		k, r, err := cert.UnmarshalEd25519PrivateKey(b)
+		k, r, c, err := cert.UnmarshalSigningPrivateKeyFromPEM(b)
 		if err != nil {
 			return nil, r, fmt.Errorf("failed fallback unmarshal: %w", err)
 		}
 
-		pk, err := keys.NewPrivateKey(k)
+		var rk any
+		switch c {
+		case cert.Curve_CURVE25519:
+			rk = ed25519.PrivateKey(k)
+		case cert.Curve_P256:
+			rk, err = ecdsa.ParseRawPrivateKey(elliptic.P256(), k)
+			if err != nil {
+				return nil, r, fmt.Errorf("failed to parse P256 private key: %s", err)
+			}
+		default:
+			return nil, r, fmt.Errorf("unsupported private key type: %s", c.String())
+		}
+
+		pk, err := keys.NewPrivateKey(rk)
 		if err != nil {
 			return nil, r, err
 		}