Refactor: Restructure project

- Add an internal folder where all the internal code lives - Make a state.go and state_test.go for the public interface This gives a more clear separation between functions and modules. It also makes this a more typical Go project setup.
author: jwijenbergh <jeroenwijenbergh@protonmail.com> 2022-04-22 16:29:59 +0200
committer: jwijenbergh <jeroenwijenbergh@protonmail.com> 2022-04-22 16:29:59 +0200
commit: b1d92b395322f2164ccfb44b0f7caebbaece6b62 (patch)
tree: 2133e4045b4af4d07a98674b7ae3a234670f0305 /internal
parent: 3a4ae2942b43923ff98fd2eca8878c3cf145686c (diff)
44 files changed, 1948 insertions, 0 deletions
diff --git a/internal/api.go b/internal/api.go
new file mode 100644
index 0000000..718702b
--- /dev/null
+++ b/internal/api.go
@@ -0,0 +1,110 @@
+package internal
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+// Authenticated wrappers on top of HTTP
+func (server *Server) apiAuthenticated(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) {
+	// Ensure optional is not nil as we will fill it with headers
+	if opts == nil {
+		opts = &HTTPOptionalParams{}
+	}
+	url := server.Endpoints.API.V3.API + endpoint
+
+	// Ensure we have valid tokens
+	oauthErr := server.EnsureTokens()
+
+	if oauthErr != nil {
+		return nil, nil, oauthErr
+	}
+
+	headerKey := "Authorization"
+	headerValue := fmt.Sprintf("Bearer %s", server.OAuth.Token.Access)
+	if opts.Headers != nil {
+		opts.Headers.Add(headerKey, headerValue)
+	} else {
+		opts.Headers = http.Header{headerKey: {headerValue}}
+	}
+	return HTTPMethodWithOpts(method, url, opts)
+}
+
+func (server *Server) apiAuthenticatedRetry(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) {
+	header, body, bodyErr := server.apiAuthenticated(method, endpoint, opts)
+	if bodyErr != nil {
+		var error *HTTPStatusError
+
+		// Only retry authenticated if we get a HTTP 401
+		if errors.As(bodyErr, &error) && error.Status == 401 {
+			server.Logger.Log(LOG_INFO, fmt.Sprintf("API: Got HTTP error %v, retrying authenticated", error))
+			// Tell the method that the token is expired
+			server.OAuth.Token.ExpiredTimestamp = GenerateTimeSeconds()
+			return server.apiAuthenticated(method, endpoint, opts)
+		}
+		return header, nil, bodyErr
+	}
+	return header, body, bodyErr
+}
+
+func (server *Server) APIInfo() error {
+	_, body, bodyErr := server.apiAuthenticatedRetry(http.MethodGet, "/info", nil)
+	if bodyErr != nil {
+		return bodyErr
+	}
+	structure := ServerProfileInfo{}
+	jsonErr := json.Unmarshal(body, &structure)
+
+	if jsonErr != nil {
+		return jsonErr
+	}
+
+	server.Profiles = structure
+	server.ProfilesRaw = string(body)
+	return nil
+}
+
+func (server *Server) APIConnectWireguard(profile_id string, pubkey string) (string, string, error) {
+	headers := http.Header{
+		"content-type": {"application/x-www-form-urlencoded"},
+		"accept":       {"application/x-wireguard-profile"},
+	}
+
+	urlForm := url.Values{
+		"profile_id": {profile_id},
+		"public_key": {pubkey},
+	}
+	header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm})
+	if connectErr != nil {
+		return "", "", connectErr
+	}
+
+	expires := header.Get("expires")
+	return string(connectBody), expires, nil
+}
+
+func (server *Server) APIConnectOpenVPN(profile_id string) (string, string, error) {
+	headers := http.Header{
+		"content-type": {"application/x-www-form-urlencoded"},
+		"accept":       {"application/x-openvpn-profile"},
+	}
+
+	urlForm := url.Values{
+		"profile_id": {profile_id},
+	}
+	header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm})
+	if connectErr != nil {
+		return "", "", connectErr
+	}
+
+	expires := header.Get("expires")
+	return string(connectBody), expires, nil
+}
+
+// This needs no further return value as it's best effort
+func (server *Server) APIDisconnect() {
+	server.apiAuthenticatedRetry(http.MethodPost, "/disconnect", nil)
+}
diff --git a/internal/config.go b/internal/config.go
new file mode 100644
index 0000000..47f773e
--- /dev/null
+++ b/internal/config.go
@@ -0,0 +1,43 @@
+package internal
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"path"
+)
+
+type Config struct {
+	Name      string
+	Directory string
+}
+
+func (config *Config) Init(name string, directory string) {
+	config.Name = name
+	config.Directory = directory
+}
+
+func (config *Config) GetFilename() string {
+	pathString := path.Join(config.Directory, config.Name)
+	return fmt.Sprintf("%s.json", pathString)
+}
+
+func (config *Config) Save(readStruct interface{}) error {
+	configDirErr := EnsureDirectory(config.Directory)
+	if configDirErr != nil {
+		return configDirErr
+	}
+	jsonString, marshalErr := json.Marshal(readStruct)
+	if marshalErr != nil {
+		return marshalErr
+	}
+	return ioutil.WriteFile(config.GetFilename(), jsonString, 0o644)
+}
+
+func (config *Config) Load(writeStruct interface{}) error {
+	bytes, readErr := ioutil.ReadFile(config.GetFilename())
+	if readErr != nil {
+		return readErr
+	}
+	return json.Unmarshal(bytes, writeStruct)
+}
diff --git a/internal/discovery.go b/internal/discovery.go
new file mode 100644
index 0000000..8c0acc7
--- /dev/null
+++ b/internal/discovery.go
@@ -0,0 +1,172 @@
+package internal
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+type DiscoFileError struct {
+	URL string
+	Err error
+}
+
+func (e *DiscoFileError) Error() string {
+	return fmt.Sprintf("failed obtaining disco file %s with error %v", e.URL, e.Err)
+}
+
+type DiscoSigFileError struct {
+	URL string
+	Err error
+}
+
+func (e *DiscoSigFileError) Error() string {
+	return fmt.Sprintf("failed obtaining disco signature file %s with error %v", e.URL, e.Err)
+}
+
+type DiscoVerifyError struct {
+	File    string
+	Sigfile string
+	Err     error
+}
+
+func (e *DiscoVerifyError) Error() string {
+	return fmt.Sprintf("failed verifying file %s with signature %s due to error %v", e.File, e.Sigfile, e.Err)
+}
+
+type DiscoJSONError struct {
+	Body string
+	Err  error
+}
+
+func (e *DiscoJSONError) Error() string {
+	return fmt.Sprintf("failed parsing JSON for contents %s with error %v", e.Body, e.Err)
+}
+
+type OrganizationList struct {
+	JSON      json.RawMessage `json:"organization_list"`
+	Version   uint64          `json:"v"`
+	Timestamp int64           `json:"-"`
+}
+
+type ServersList struct {
+	JSON      json.RawMessage `json:"server_list"`
+	Version   uint64          `json:"v"`
+	Timestamp int64           `json:"-"`
+}
+
+type Discovery struct {
+	Organizations OrganizationList
+	Servers       ServersList
+	FSM *FSM
+	Logger *FileLogger
+}
+
+// Helper function that gets a disco json
+func getDiscoFile(jsonFile string, previousVersion uint64, structure interface{}) error {
+	// Get json data
+	discoURL := "https://disco.eduvpn.org/v2/"
+	fileURL := discoURL + jsonFile
+	_, fileBody, fileErr := HTTPGet(fileURL)
+
+	if fileErr != nil {
+		return &DiscoFileError{fileURL, fileErr}
+	}
+
+	// Get signature
+	sigFile := jsonFile + ".minisig"
+	sigURL := discoURL + sigFile
+	_, sigBody, sigFileErr := HTTPGet(sigURL)
+
+	if sigFileErr != nil {
+		return &DiscoSigFileError{URL: sigURL, Err: sigFileErr}
+	}
+
+	// Verify signature
+	// Set this to true when we want to force prehash
+	forcePrehash := false
+	verifySuccess, verifyErr := Verify(string(sigBody), fileBody, jsonFile, previousVersion, forcePrehash)
+
+	if !verifySuccess || verifyErr != nil {
+		return &DiscoVerifyError{File: jsonFile, Sigfile: sigFile, Err: verifyErr}
+	}
+
+	// Parse JSON to extract version and list
+	jsonErr := json.Unmarshal(fileBody, structure)
+
+	if jsonErr != nil {
+		return &DiscoJSONError{Body: string(fileBody), Err: jsonErr}
+	}
+
+	return nil
+}
+
+type GetListError struct {
+	File string
+	Err  error
+}
+
+func (e *GetListError) Error() string {
+	return fmt.Sprintf("failed getting disco list file %s with error %v", e.File, e.Err)
+}
+
+func (discovery *Discovery) Init(fsm *FSM, logger *FileLogger) {
+	discovery.FSM = fsm
+	discovery.Logger = logger
+}
+
+// FIXME: Implement based on
+// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md
+// - [IMPLEMENTED] on "first launch" when offering the search for "Institute Access" and "Organizations";
+// - [TODO] when the user tries to add new server AND the user did NOT yet choose an organization before;
+// - [TODO] when the authorization for the server associated with an already chosen organization is triggered, e.g. after expiry or revocation.
+func (discovery *Discovery) DetermineOrganizationsUpdate() bool {
+	return string(discovery.Organizations.JSON) == ""
+}
+
+// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md
+// - [Implemented] The application MUST always fetch the server_list.json at application start.
+// - The application MAY refresh the server_list.json periodically, e.g. once every hour.
+func (discovery *Discovery) DetermineServersUpdate() bool {
+	// No servers, we should update
+	if string(discovery.Servers.JSON) == "" {
+		return true
+	}
+	// 1 hour from the last update
+	should_update_time := discovery.Servers.Timestamp + 3600
+	now := GenerateTimeSeconds()
+	if now >= should_update_time {
+		return true
+	}
+	discovery.Logger.Log(LOG_INFO, "No update needed for servers, 1h is not passed yet")
+	return false
+}
+
+// Get the organization list
+func (discovery *Discovery) GetOrganizationsList() (string, error) {
+	if !discovery.DetermineOrganizationsUpdate() {
+		return string(discovery.Organizations.JSON), nil
+	}
+	file := "organization_list.json"
+	err := getDiscoFile(file, discovery.Organizations.Version, &discovery.Organizations)
+	if err != nil {
+		// Return previous with an error
+		return string(discovery.Organizations.JSON), &GetListError{File: file, Err: err}
+	}
+	return string(discovery.Organizations.JSON), nil
+}
+
+// Get the server list
+func (discovery *Discovery) GetServersList() (string, error) {
+	if !discovery.DetermineServersUpdate() {
+		return string(discovery.Servers.JSON), nil
+	}
+	file := "server_list.json"
+	err := getDiscoFile(file, discovery.Servers.Version, &discovery.Servers)
+	if err != nil {
+		// Return previous with an error
+		return string(discovery.Servers.JSON), &GetListError{File: file, Err: err}
+	}
+	// Update servers timestamp
+	discovery.Servers.Timestamp = GenerateTimeSeconds()
+	return string(discovery.Servers.JSON), nil
+}
diff --git a/internal/fsm.go b/internal/fsm.go
new file mode 100644
index 0000000..fadc7c9
--- /dev/null
+++ b/internal/fsm.go
@@ -0,0 +1,187 @@
+package internal
+
+import (
+	"fmt"
+	"os"
+	"sort"
+)
+
+type (
+	FSMStateID      int8
+	FSMStateIDSlice []FSMStateID
+)
+
+func (v FSMStateIDSlice) Len() int {
+	return len(v)
+}
+
+func (v FSMStateIDSlice) Less(i, j int) bool {
+	return v[i] < v[j]
+}
+
+func (v FSMStateIDSlice) Swap(i, j int) {
+	v[i], v[j] = v[j], v[i]
+}
+
+const (
+	// Deregistered means the app is not registered with the wrapper
+	DEREGISTERED FSMStateID = iota
+
+	// No Server means the user has not chosen a server yet
+	NO_SERVER
+
+	// Chosen Server means the user has chosen a server to connect to
+	CHOSEN_SERVER
+
+	// OAuth Started means the OAuth process has started
+	OAUTH_STARTED
+
+	// Authenticated means the OAuth process has finished and the user is now authenticated with the server
+	AUTHENTICATED
+
+	// Requested config means the user has requested a config for connecting
+	REQUEST_CONFIG
+
+	// Has config means the user has gotten a config
+	HAS_CONFIG
+
+	// Ask profile means the go code is asking for a profile selection from the ui
+	ASK_PROFILE
+
+	// Connected means the user has been connected to the server
+	CONNECTED
+)
+
+func (s FSMStateID) String() string {
+	switch s {
+	case DEREGISTERED:
+		return "Deregistered"
+	case NO_SERVER:
+		return "No_Server"
+	case CHOSEN_SERVER:
+		return "Chosen_Server"
+	case OAUTH_STARTED:
+		return "OAuth_Started"
+	case HAS_CONFIG:
+		return "Has_Config"
+	case REQUEST_CONFIG:
+		return "Request_Config"
+	case ASK_PROFILE:
+		return "Ask_Profile"
+	case AUTHENTICATED:
+		return "Authenticated"
+	case CONNECTED:
+		return "Connected"
+	default:
+		panic("unknown conversion of state to string")
+	}
+}
+
+type FSMTransition struct {
+	To          FSMStateID
+	Description string
+}
+
+type (
+	FSMTransitions []FSMTransition
+	FSMStates      map[FSMStateID]FSMTransitions
+)
+
+type FSM struct {
+	States  FSMStates
+	Current FSMStateID
+
+	// Info to be passed from the parent state
+	StateCallback func(string, string, string)
+	Logger        *FileLogger
+	Debug         bool
+}
+
+func (fsm *FSM) Init(callback func(string, string, string), logger *FileLogger, debug bool) {
+	fsm.States = FSMStates{
+		DEREGISTERED:   {{NO_SERVER, "Client registers"}},
+		NO_SERVER:      {{CHOSEN_SERVER, "User chooses a server"}},
+		CHOSEN_SERVER:  {{AUTHENTICATED, "Found tokens in config"}, {OAUTH_STARTED, "No tokens found in config"}},
+		OAUTH_STARTED:  {{AUTHENTICATED, "User authorizes with browser"}},
+		AUTHENTICATED:  {{OAUTH_STARTED, "Re-authenticate with OAuth"}, {REQUEST_CONFIG, "Client requests a config"}},
+		REQUEST_CONFIG: {{ASK_PROFILE, "Multiple profiles found"}, {HAS_CONFIG, "Success, only one profile"}},
+		ASK_PROFILE:    {{HAS_CONFIG, "User chooses profile and success"}},
+		HAS_CONFIG:     {{CONNECTED, "OS reports connected"}},
+		CONNECTED:      {{AUTHENTICATED, "OS reports disconnected"}},
+	}
+	fsm.Current = DEREGISTERED
+	fsm.StateCallback = callback
+	fsm.Logger = logger
+	fsm.Debug = debug
+}
+
+func (fsm *FSM) InState(check FSMStateID) bool {
+	return check == fsm.Current
+}
+
+func (fsm *FSM) HasTransition(check FSMStateID) bool {
+	for _, transition_state := range fsm.States[fsm.Current] {
+		if transition_state.To == check {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (fsm *FSM) writeGraph() {
+	graph := fsm.GenerateGraph()
+
+	f, err := os.Create("debug.graph")
+	if err != nil {
+		fsm.Logger.Log(LOG_INFO, fmt.Sprintf("Failed to write debug fsm graph with error %v", err))
+	}
+
+	defer f.Close()
+
+	f.WriteString(graph)
+}
+
+func (fsm *FSM) GoTransitionWithData(newState FSMStateID, data string) bool {
+	ok := fsm.HasTransition(newState)
+
+	if ok {
+		oldState := fsm.Current
+		fsm.Current = newState
+		if fsm.Debug {
+			fsm.writeGraph()
+		}
+		fsm.StateCallback(oldState.String(), newState.String(), data)
+	}
+
+	return ok
+}
+
+func (fsm *FSM) GoTransition(newState FSMStateID) bool {
+	return fsm.GoTransitionWithData(newState, "")
+}
+
+func (fsm *FSM) generateMermaidGraph() string {
+	graph := "graph TD\n"
+	sorted_fsm := make(FSMStateIDSlice, 0, len(fsm.States))
+	for state_id := range fsm.States {
+		sorted_fsm = append(sorted_fsm, state_id)
+	}
+	sort.Sort(sorted_fsm)
+	for _, state := range sorted_fsm {
+		transitions := fsm.States[state]
+		for _, transition := range transitions {
+			if state == fsm.Current {
+				graph += "\nstyle " + state.String() + " fill:cyan\n"
+			} else {
+				graph += "\nstyle " + state.String() + " fill:white\n"
+			}
+			graph += state.String() + "(" + state.String() + ") " + "-->|" + transition.Description + "| " + transition.To.String() + "\n"
+		}
+	}
+	return graph
+}
+
+func (fsm *FSM) GenerateGraph() string {
+	return fsm.generateMermaidGraph()
+}
diff --git a/internal/http.go b/internal/http.go
new file mode 100644
index 0000000..8ca8cb9
--- /dev/null
+++ b/internal/http.go
@@ -0,0 +1,172 @@
+package internal
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type HTTPResourceError struct {
+	URL string
+	Err error
+}
+
+func (e *HTTPResourceError) Error() string {
+	return fmt.Sprintf("failed obtaining HTTP resource %s with error %v", e.URL, e.Err)
+}
+
+type HTTPStatusError struct {
+	URL    string
+	Status int
+}
+
+func (e *HTTPStatusError) Error() string {
+	return fmt.Sprintf("failed obtaining HTTP resource %s as it gave an unsuccesful status code %d", e.URL, e.Status)
+}
+
+type HTTPReadError struct {
+	URL string
+	Err error
+}
+
+func (e *HTTPReadError) Error() string {
+	return fmt.Sprintf("failed reading HTTP resource %s with error %v", e.URL, e.Err)
+}
+
+type HTTPParseJsonError struct {
+	URL  string
+	Body string
+	Err  error
+}
+
+func (e *HTTPParseJsonError) Error() string {
+	return fmt.Sprintf("failed parsing json %s for HTTP resource %s with error %v", e.Body, e.URL, e.Err)
+}
+
+type HTTPRequestCreateError struct {
+	URL string
+	Err error
+}
+
+func (e *HTTPRequestCreateError) Error() string {
+	return fmt.Sprintf("failed to create HTTP request with url %s and error %v", e.URL, e.Err)
+}
+
+type URLParameters map[string]string
+
+type HTTPOptionalParams struct {
+	Headers       http.Header
+	URLParameters URLParameters
+	Body          url.Values
+}
+
+// Construct an URL including on parameters
+func HTTPConstructURL(baseURL string, parameters URLParameters) (string, error) {
+	url, err := url.Parse(baseURL)
+	if err != nil {
+		return "", err
+	}
+
+	q := url.Query()
+
+	for parameter, value := range parameters {
+		q.Set(parameter, value)
+	}
+	url.RawQuery = q.Encode()
+	return url.String(), nil
+}
+
+// Convenience functions
+func HTTPGet(url string) (http.Header, []byte, error) {
+	return HTTPMethodWithOpts(http.MethodGet, url, nil)
+}
+
+func HTTPPost(url string, body url.Values) (http.Header, []byte, error) {
+	return HTTPMethodWithOpts(http.MethodGet, url, &HTTPOptionalParams{Body: body})
+}
+
+func HTTPGetWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) {
+	return HTTPMethodWithOpts(http.MethodGet, url, opts)
+}
+
+func HTTPPostWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) {
+	return HTTPMethodWithOpts(http.MethodPost, url, opts)
+}
+
+func httpOptionalURL(url string, opts *HTTPOptionalParams) (string, error) {
+	if opts != nil {
+		url, urlErr := HTTPConstructURL(url, opts.URLParameters)
+
+		if urlErr != nil {
+			return url, &HTTPRequestCreateError{URL: url, Err: urlErr}
+		}
+		return url, nil
+	}
+	return url, nil
+}
+
+func httpOptionalHeaders(req *http.Request, opts *HTTPOptionalParams) {
+	// Add headers
+	if opts != nil && req != nil {
+		for k, v := range opts.Headers {
+			req.Header.Add(k, v[0])
+		}
+	}
+}
+
+func httpOptionalBodyReader(opts *HTTPOptionalParams) io.Reader {
+	if opts != nil && opts.Body != nil {
+		return strings.NewReader(opts.Body.Encode())
+	}
+	return nil
+}
+
+func HTTPMethodWithOpts(method string, url string, opts *HTTPOptionalParams) (http.Header, []byte, error) {
+	// Make sure the url contains all the parameters
+	// This can return an error,
+	// it already has the right error so so we don't wrap it further
+	url, urlErr := httpOptionalURL(url, opts)
+	if urlErr != nil {
+		return nil, nil, urlErr
+	}
+
+	// Create a client
+	client := &http.Client{}
+
+	// Create request object with the body reader generated from the optional arguments
+	req, reqErr := http.NewRequest(method, url, httpOptionalBodyReader(opts))
+	if reqErr != nil {
+		return nil, nil, &HTTPRequestCreateError{URL: url, Err: reqErr}
+	}
+
+	// See https://stackoverflow.com/questions/17714494/golang-http-request-results-in-eof-errors-when-making-multiple-requests-successi
+	req.Close = true
+
+	// Make sure the headers contain all the parameters
+	httpOptionalHeaders(req, opts)
+
+	// Do request
+	resp, respErr := client.Do(req)
+	if respErr != nil {
+		return nil, nil, &HTTPResourceError{URL: url, Err: respErr}
+	}
+
+	// Request successful, make sure body is closed at the end
+	defer resp.Body.Close()
+
+	// Return a string
+	body, readErr := ioutil.ReadAll(resp.Body)
+	if readErr != nil {
+		return resp.Header, nil, &HTTPReadError{URL: url, Err: readErr}
+	}
+
+	if resp.StatusCode < 200 || resp.StatusCode > 299 {
+		return resp.Header, body, &HTTPStatusError{URL: url, Status: resp.StatusCode}
+	}
+
+	// Return the body in bytes and signal the status error if there was one
+	return resp.Header, body, nil
+}
diff --git a/internal/log.go b/internal/log.go
new file mode 100644
index 0000000..52c0f3d
--- /dev/null
+++ b/internal/log.go
@@ -0,0 +1,65 @@
+package internal
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path"
+)
+
+type FileLogger struct {
+	Level LogLevel
+	File  *os.File
+}
+
+type LogLevel int8
+
+const (
+	LOG_NOTSET LogLevel = iota
+	LOG_INFO
+	LOG_WARNING
+	LOG_ERROR
+)
+
+func (e LogLevel) String() string {
+	switch e {
+	case LOG_NOTSET:
+		return "NOTSET"
+	case LOG_INFO:
+		return "INFO"
+	case LOG_WARNING:
+		return "WARNING"
+	case LOG_ERROR:
+		return "ERROR"
+	default:
+		return "UNKNOWN"
+	}
+}
+
+func (logger *FileLogger) Init(level LogLevel, name string, directory string) error {
+	configDirErr := EnsureDirectory(directory)
+	if configDirErr != nil {
+		return configDirErr
+	}
+	logFile, logOpenErr := os.OpenFile(logger.getFilename(directory, name), os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
+	if logOpenErr != nil {
+		return logOpenErr
+	}
+	log.SetOutput(logFile)
+	return nil
+}
+
+func (logger *FileLogger) getFilename(directory string, name string) string {
+	pathString := path.Join(directory, name)
+	return fmt.Sprintf("%s.log", pathString)
+}
+
+func (logger *FileLogger) Log(level LogLevel, str string) {
+	if level >= logger.Level && logger.Level != LOG_NOTSET {
+		log.Printf("[%s]: %s", level.String(), str)
+	}
+}
+
+func (logger *FileLogger) Close() {
+	logger.File.Close()
+}
diff --git a/internal/oauth.go b/internal/oauth.go
new file mode 100644
index 0000000..1e728ca
--- /dev/null
+++ b/internal/oauth.go
@@ -0,0 +1,379 @@
+package internal
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+// Generates a random base64 string to be used for state
+// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1
+// "state":  OPTIONAL.  An opaque value used by the client to maintain
+// state between the request and callback.  The authorization server
+// includes this value when redirecting the user agent back to the
+// client.
+func genState() (string, error) {
+	randomBytes, err := MakeRandomByteSlice(32)
+	if err != nil {
+		return "", &OAuthGenStateUnableError{Err: err}
+	}
+
+	// For consistency we also use raw url encoding here
+	return base64.RawURLEncoding.EncodeToString(randomBytes), nil
+}
+
+// Generates a sha256 base64 challenge from a verifier
+// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.8
+func genChallengeS256(verifier string) string {
+	hash := sha256.Sum256([]byte(verifier))
+
+	// We use raw url encoding as the challenge does not accept padding
+	return base64.RawURLEncoding.EncodeToString(hash[:])
+}
+
+// Generates a verifier
+// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1
+// The code_verifier is a unique high-entropy cryptographically random
+// string generated for each authorization request, using the unreserved
+// characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~", with a
+// minimum length of 43 characters and a maximum length of 128
+// characters.
+func genVerifier() (string, error) {
+	randomBytes, err := MakeRandomByteSlice(32)
+	if err != nil {
+		return "", &OAuthGenVerifierUnableError{Err: err}
+	}
+
+	return base64.RawURLEncoding.EncodeToString(randomBytes), nil
+}
+
+type OAuth struct {
+	Session  OAuthExchangeSession `json:"-"`
+	Token    OAuthToken           `json:"token"`
+	TokenURL string               `json:"token_url"`
+	Logger   *FileLogger          `json:"-"`
+	FSM      *FSM                 `json:"-"`
+}
+
+// This structure gets passed to the callback for easy access to the current state
+type OAuthExchangeSession struct {
+	// returned from the callback
+	CallbackError error
+
+	// filled in in initialize
+	ClientID string
+	State    string
+	Verifier string
+
+	// filled in when constructing the callback
+	Context context.Context
+	Server  http.Server
+}
+
+// Struct that defines the json format for /.well-known/vpn-user-portal"
+type OAuthToken struct {
+	Access           string `json:"access_token"`
+	Refresh          string `json:"refresh_token"`
+	Type             string `json:"token_type"`
+	Expires          int64  `json:"expires_in"`
+	ExpiredTimestamp int64  `json:"expires_in_timestamp"`
+}
+
+// Gets an authenticated HTTP client by obtaining refresh and access tokens
+func (oauth *OAuth) getTokensWithCallback() error {
+	oauth.Session.Context = context.Background()
+	mux := http.NewServeMux()
+	addr := "127.0.0.1:8000"
+	oauth.Session.Server = http.Server{
+		Addr:    addr,
+		Handler: mux,
+	}
+	mux.HandleFunc("/callback", oauth.Callback)
+	if err := oauth.Session.Server.ListenAndServe(); err != http.ErrServerClosed {
+		return &OAuthFailedCallbackError{Addr: addr, Err: err}
+	}
+	return oauth.Session.CallbackError
+}
+
+// Get the access and refresh tokens
+// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4
+// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2
+func (oauth *OAuth) getTokensWithAuthCode(authCode string) error {
+	// Make sure the verifier is set as the parameter
+	// so that the server can verify that we are the actual owner of the authorization code
+
+	reqURL := oauth.TokenURL
+	data := url.Values{
+		"client_id":     {oauth.Session.ClientID},
+		"code":          {authCode},
+		"code_verifier": {oauth.Session.Verifier},
+		"grant_type":    {"authorization_code"},
+		"redirect_uri":  {"http://127.0.0.1:8000/callback"},
+	}
+	headers := http.Header{
+		"content-type": {"application/x-www-form-urlencoded"},
+	}
+	opts := &HTTPOptionalParams{Headers: headers, Body: data}
+	current_time := GenerateTimeSeconds()
+	_, body, bodyErr := HTTPPostWithOpts(reqURL, opts)
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	tokenStructure := OAuthToken{}
+
+	jsonErr := json.Unmarshal(body, &tokenStructure)
+
+	if jsonErr != nil {
+		return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr}
+	}
+
+	tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires
+	oauth.Token = tokenStructure
+	return nil
+}
+
+func (oauth *OAuth) isTokensExpired() bool {
+	expired_time := oauth.Token.ExpiredTimestamp
+	current_time := GenerateTimeSeconds()
+	return current_time >= expired_time
+}
+
+// Get the access and refresh tokens with a previously received refresh token
+// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4
+// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2
+func (oauth *OAuth) getTokensWithRefresh() error {
+	reqURL := oauth.TokenURL
+	data := url.Values{
+		"refresh_token": {oauth.Token.Refresh},
+		"grant_type":    {"refresh_token"},
+	}
+	headers := http.Header{
+		"content-type": {"application/x-www-form-urlencoded"},
+	}
+	opts := &HTTPOptionalParams{Headers: headers, Body: data}
+	current_time := GenerateTimeSeconds()
+	_, body, bodyErr := HTTPPostWithOpts(reqURL, opts)
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	tokenStructure := OAuthToken{}
+	jsonErr := json.Unmarshal(body, &tokenStructure)
+
+	if jsonErr != nil {
+		return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr}
+	}
+
+	tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires
+	oauth.Token = tokenStructure
+	return nil
+}
+
+//
+//// The callback to retrieve the authorization code: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.1
+func (oauth *OAuth) Callback(w http.ResponseWriter, req *http.Request) {
+	// Extract the authorization code
+	code, success := req.URL.Query()["code"]
+	if !success {
+		oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "code", URL: req.URL.String()}
+		go oauth.Session.Server.Shutdown(oauth.Session.Context)
+		return
+	}
+	// The code is the first entry
+	extractedCode := code[0]
+
+	// Make sure the state is present and matches to protect against cross-site request forgeries
+	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15
+	state, success := req.URL.Query()["state"]
+	if !success {
+		oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "state", URL: req.URL.String()}
+		go oauth.Session.Server.Shutdown(oauth.Session.Context)
+		return
+	}
+	// The state is the first entry
+	extractedState := state[0]
+	if extractedState != oauth.Session.State {
+		oauth.Session.CallbackError = &OAuthFailedCallbackStateMatchError{State: extractedState, ExpectedState: oauth.Session.State}
+		go oauth.Session.Server.Shutdown(oauth.Session.Context)
+		return
+	}
+
+	// Now that we have obtained the authorization code, we can move to the next step:
+	// Obtaining the access and refresh tokens
+	err := oauth.getTokensWithAuthCode(extractedCode)
+	if err != nil {
+		oauth.Session.CallbackError = &OAuthFailedCallbackGetTokensError{Err: err}
+		go oauth.Session.Server.Shutdown(oauth.Session.Context)
+		return
+	}
+
+	// Shutdown the server as we're done listening
+	go oauth.Session.Server.Shutdown(oauth.Session.Context)
+}
+
+func (oauth *OAuth) Init(fsm *FSM, logger *FileLogger) {
+	oauth.FSM = fsm
+	oauth.Logger = logger
+}
+
+// Starts the OAuth exchange for eduvpn.
+func (oauth *OAuth) start(name string, authorizationURL string, tokenURL string) error {
+	if !oauth.FSM.HasTransition(OAUTH_STARTED) {
+		return errors.New(fmt.Sprintf("Failed starting oauth, invalid state %s", oauth.FSM.Current.String()))
+	}
+	// Generate the state
+	state, stateErr := genState()
+	if stateErr != nil {
+		return &OAuthFailedInitializeError{Err: stateErr}
+	}
+
+	// Generate the verifier and challenge
+	verifier, verifierErr := genVerifier()
+	if verifierErr != nil {
+		return &OAuthFailedInitializeError{Err: verifierErr}
+	}
+	challenge := genChallengeS256(verifier)
+
+	parameters := map[string]string{
+		"client_id":             name,
+		"code_challenge_method": "S256",
+		"code_challenge":        challenge,
+		"response_type":         "code",
+		"scope":                 "config",
+		"state":                 state,
+		"redirect_uri":          "http://127.0.0.1:8000/callback",
+	}
+
+	authURL, urlErr := HTTPConstructURL(authorizationURL, parameters)
+
+	if urlErr != nil { // shouldn't happen
+		panic(urlErr)
+	}
+
+	// Fill the struct with the necessary fields filled for the next call to getting the HTTP client
+	oauthSession := OAuthExchangeSession{ClientID: name, State: state, Verifier: verifier}
+	oauth.TokenURL = tokenURL
+	oauth.Session = oauthSession
+	oauth.FSM.GoTransitionWithData(OAUTH_STARTED, authURL)
+	return nil
+}
+
+// Error definitions
+func (oauth *OAuth) Finish() error {
+	if !oauth.FSM.HasTransition(AUTHENTICATED) {
+		return errors.New("invalid state to finish oauth")
+	}
+	tokenErr := oauth.getTokensWithCallback()
+	if tokenErr != nil {
+		return tokenErr
+	}
+	oauth.FSM.GoTransition(AUTHENTICATED)
+	return nil
+}
+
+func (oauth *OAuth) Login(name string, authorizationURL string, tokenURL string) error {
+	authInitializeErr := oauth.start(name, authorizationURL, tokenURL)
+
+	if authInitializeErr != nil {
+		return authInitializeErr
+	}
+
+	oauthErr := oauth.Finish()
+
+	if oauthErr != nil {
+		return oauthErr
+	}
+	return nil
+}
+
+func (oauth *OAuth) NeedsRelogin() bool {
+	// Access Token or Refresh Tokens empty, definitely needs a relogin
+	if oauth.Token.Access == "" || oauth.Token.Refresh == "" {
+		oauth.Logger.Log(LOG_INFO, "OAuth: Tokens are empty")
+		return true
+	}
+
+	// We have tokens...
+
+	// The tokens are not expired yet
+	// No relogin is needed
+	if !oauth.isTokensExpired() {
+		oauth.Logger.Log(LOG_INFO, "OAuth: Tokens are not expired, re-login not needed")
+		return false
+	}
+
+	refreshErr := oauth.getTokensWithRefresh()
+	// We have obtained new tokens with refresh
+	if refreshErr == nil {
+		oauth.Logger.Log(LOG_INFO, "OAuth: Tokens could be re-acquired using the refresh token, re-login not needed")
+		return false
+	}
+
+	// Otherwise relogin is really needed
+	return true
+}
+
+type OAuthGenStateUnableError struct {
+	Err error
+}
+
+func (e *OAuthGenStateUnableError) Error() string {
+	return fmt.Sprintf("failed generating state with error %v", e.Err)
+}
+
+type OAuthGenVerifierUnableError struct {
+	Err error
+}
+
+func (e *OAuthGenVerifierUnableError) Error() string {
+	return fmt.Sprintf("failed generating verifier with error %v", e.Err)
+}
+
+type OAuthFailedCallbackError struct {
+	Addr string
+	Err  error
+}
+
+func (e *OAuthFailedCallbackError) Error() string {
+	return fmt.Sprintf("failed callback %s with error %v", e.Addr, e.Err)
+}
+
+type OAuthFailedCallbackParameterError struct {
+	Parameter string
+	URL       string
+}
+
+func (e *OAuthFailedCallbackParameterError) Error() string {
+	return fmt.Sprintf("failed retrieving parameter %s in url %s", e.Parameter, e.URL)
+}
+
+type OAuthFailedCallbackStateMatchError struct {
+	State         string
+	ExpectedState string
+}
+
+func (e *OAuthFailedCallbackStateMatchError) Error() string {
+	return fmt.Sprintf("failed matching state, got %s, want %s", e.State, e.ExpectedState)
+}
+
+type OAuthFailedCallbackGetTokensError struct {
+	Err error
+}
+
+func (e *OAuthFailedCallbackGetTokensError) Error() string {
+	return fmt.Sprintf("failed getting tokens with error %v", e.Err)
+}
+
+type OAuthFailedInitializeError struct {
+	Err error
+}
+
+func (e *OAuthFailedInitializeError) Error() string {
+	return fmt.Sprintf("failed initializing OAuth with error %v", e.Err)
+}
diff --git a/internal/openvpn.go b/internal/openvpn.go
new file mode 100644
index 0000000..1b2e626
--- /dev/null
+++ b/internal/openvpn.go
@@ -0,0 +1,12 @@
+package internal
+
+func (server *Server) OpenVPNGetConfig() (string, error) {
+	profile_id := server.Profiles.Current
+	configOpenVPN, _, configErr := server.APIConnectOpenVPN(profile_id)
+
+	if configErr != nil {
+		return "", configErr
+	}
+
+	return configOpenVPN, nil
+}
diff --git a/internal/server.go b/internal/server.go
new file mode 100644
index 0000000..eb7f8fe
--- /dev/null
+++ b/internal/server.go
@@ -0,0 +1,196 @@
+package internal
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+)
+
+type Server struct {
+	BaseURL     string            `json:"base_url"`
+	Endpoints   ServerEndpoints   `json:"endpoints"`
+	OAuth       OAuth             `json:"oauth"`
+	Profiles    ServerProfileInfo `json:"profiles"`
+	ProfilesRaw string            `json:"profiles_raw"`
+	Logger      *FileLogger       `json:"-"`
+	FSM         *FSM              `json:"-"`
+}
+
+type Servers struct {
+	List    map[string]*Server `json:"list"`
+	Current string             `json:"current"`
+}
+
+func (servers *Servers) GetCurrentServer() (*Server, error) {
+	if servers.List == nil {
+		return nil, errors.New("No map found to get Current Server")
+	}
+	server, exists := servers.List[servers.Current]
+
+	if !exists || server == nil {
+		return nil, errors.New("Current Server not found")
+	}
+	return server, nil
+}
+
+func (server *Server) Init(url string, fsm *FSM, logger *FileLogger) error {
+	server.BaseURL = url
+	server.FSM = fsm
+	server.Logger = logger
+	server.OAuth.Init(fsm, logger)
+	endpointsErr := server.GetEndpoints()
+	if endpointsErr != nil {
+		return endpointsErr
+	}
+	return nil
+}
+
+func (server *Server) EnsureTokens() error {
+	if server.OAuth.NeedsRelogin() {
+		server.Logger.Log(LOG_INFO, "OAuth: Tokens are invalid, relogging in")
+		return server.Login()
+	}
+	return nil
+}
+
+func (servers *Servers) EnsureServer(url string, fsm *FSM, logger *FileLogger) *Server {
+	if servers.List == nil {
+		servers.List = make(map[string]*Server)
+	}
+
+	server, exists := servers.List[url]
+
+	if !exists || server == nil {
+		server = &Server{}
+	}
+	server.Init(url, fsm, logger)
+	servers.List[url] = server
+	servers.Current = url
+	return server
+}
+
+type ServerProfile struct {
+	ID             string   `json:"profile_id"`
+	DisplayName    string   `json:"display_name"`
+	VPNProtoList   []string `json:"vpn_proto_list"`
+	DefaultGateway bool     `json:"default_gateway"`
+}
+
+type ServerProfileInfo struct {
+	Current string `json:"current_profile"`
+	Info    struct {
+		ProfileList []ServerProfile `json:"profile_list"`
+	} `json:"info"`
+}
+
+type ServerEndpointList struct {
+	API           string `json:"api_endpoint"`
+	Authorization string `json:"authorization_endpoint"`
+	Token         string `json:"token_endpoint"`
+}
+
+// Struct that defines the json format for /.well-known/vpn-user-portal"
+type ServerEndpoints struct {
+	API struct {
+		V2 ServerEndpointList `json:"http://eduvpn.org/api#2"`
+		V3 ServerEndpointList `json:"http://eduvpn.org/api#3"`
+	} `json:"api"`
+	V string `json:"v"`
+}
+
+func (server *Server) Login() error {
+	return server.OAuth.Login("org.eduvpn.app.linux", server.Endpoints.API.V3.Authorization, server.Endpoints.API.V3.Token)
+}
+
+func (server *Server) NeedsRelogin() bool {
+	// Check if OAuth needs relogin
+	return server.OAuth.NeedsRelogin()
+}
+
+func (server *Server) GetEndpoints() error {
+	url := server.BaseURL + "/.well-known/vpn-user-portal"
+	_, body, bodyErr := HTTPGet(url)
+
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	endpoints := ServerEndpoints{}
+	jsonErr := json.Unmarshal(body, &endpoints)
+
+	if jsonErr != nil {
+		return jsonErr
+	}
+
+	server.Endpoints = endpoints
+
+	return nil
+}
+
+func (profile *ServerProfile) supportsWireguard() bool {
+	for _, proto := range profile.VPNProtoList {
+		if proto == "wireguard" {
+			return true
+		}
+	}
+	return false
+}
+
+func (server *Server) getCurrentProfile() (*ServerProfile, error) {
+	profile_id := server.Profiles.Current
+	for _, profile := range server.Profiles.Info.ProfileList {
+		if profile.ID == profile_id {
+			return &profile, nil
+		}
+	}
+	return nil, errors.New("no profile found for id")
+}
+
+func (server *Server) getConfigWithProfile() (string, error) {
+	if !server.FSM.HasTransition(HAS_CONFIG) {
+		return "", errors.New("cannot get a config with a profile, invalid state")
+	}
+	profile, profileErr := server.getCurrentProfile()
+
+	if profileErr != nil {
+		return "", profileErr
+	}
+
+	if profile.supportsWireguard() {
+		return server.WireguardGetConfig()
+	}
+	return server.OpenVPNGetConfig()
+}
+
+func (server *Server) askForProfileID() error {
+	if !server.FSM.HasTransition(ASK_PROFILE) {
+		return errors.New("cannot ask for a profile id, invalid state")
+	}
+	server.FSM.GoTransitionWithData(ASK_PROFILE, server.ProfilesRaw)
+	return nil
+}
+
+func (server *Server) GetConfig() (string, error) {
+	if !server.FSM.InState(REQUEST_CONFIG) {
+		return "", errors.New(fmt.Sprintf("cannot get a config, invalid state %s", server.FSM.Current.String()))
+	}
+	infoErr := server.APIInfo()
+
+	if infoErr != nil {
+		return "", infoErr
+	}
+
+	// Set the current profile if there is only one profile
+	if len(server.Profiles.Info.ProfileList) == 1 {
+		server.Profiles.Current = server.Profiles.Info.ProfileList[0].ID
+		return server.getConfigWithProfile()
+	}
+
+	profileErr := server.askForProfileID()
+
+	if profileErr != nil {
+		return "", nil
+	}
+
+	return server.getConfigWithProfile()
+}
diff --git a/internal/test_data/empty b/internal/test_data/empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/internal/test_data/empty
diff --git a/internal/test_data/generate.sh b/internal/test_data/generate.sh
new file mode 100644
index 0000000..b1b4545
--- /dev/null
+++ b/internal/test_data/generate.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+# Generate testcases with fake keys
+
+# Make sure we do not delete *.minisigs etc. in the wrong directory
+if [ ${PWD##*/} != "test_data" ]
+then
+	>&2 echo "Wrong directory, should be run in test_data/"
+	exit 1
+fi
+
+rm -f *.minisig *.blake2b
+
+# Uncomment to regenerate keys
+#rm -f *.key
+#echo -en "\n\n" | minisign -Gf -p public.key -s secret.key &
+#echo -en "\n\n" | minisign -Gf -p wrong_public.key -s wrong_secret.key &
+#wait
+
+# Try to create pure signature with default Minisign (works with version < 0.10)
+echo | minisign -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key
+# Check if it is actually a prehashed signature
+if echo | minisign -VHm server_list.json -x server_list.json.pure.minisig -p public.key
+then
+	echo "minisign version is >0.9, trying minisign-0.9"
+	# If it is, try to sign with some minisign-0.9 program
+	if ! echo | minisign-0.9 -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key
+	then
+		>&2 echo -e "\n\nTo produce a non-prehashed signature we need Minisign 0.9\n\n"
+	fi
+fi
+
+# Rest works with Minisign 0.9 and 0.10 (and up, probably)
+
+echo | minisign -SHm server_list.json -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_nohashed.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_latertime.minisig -t $'timestamp:20\tfile:server_list.json\t hashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_orglist.minisig -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key &
+wait
+echo | minisign -SHm server_list.json -x server_list.json.tc_otherfile.minisig -t $'timestamp:10\tfile:otherfile\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_nofile.minisig -t $'timestamp:10\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_notime.minisig -t $'file:server_list.json\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_emptytime.minisig -t $'timestamp:\tfile:server_list.json\thashed' -s secret.key &
+wait
+echo | minisign -SHm server_list.json -x server_list.json.tc_emptyfile.minisig -t $'timestamp:10\tfile:\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_earliertime.minisig -t $'timestamp:9\tfile:server_list.json\thashed' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.tc_random.minisig -t 'random stuff' -s secret.key &
+echo | minisign -SHm server_list.json -x server_list.json.large_time.minisig -t $'timestamp:4300000000\tfile:server_list.json' -s secret.key &
+wait
+
+echo | minisign -SHm organization_list.json -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key &
+echo | minisign -SHm organization_list.json -x organization_list.json.tc_servlist.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key &
+
+echo | minisign -SHm other_list.json -t $'timestamp:10\tfile:other_list.json\thashed' -s secret.key &
+
+echo | minisign -SHm server_list.json -x server_list.json.wrong_key.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s wrong_secret.key &
+wait
+
+./generate_forged.py
diff --git a/internal/test_data/generate_forged.py b/internal/test_data/generate_forged.py
new file mode 100644
index 0000000..843b32d
--- /dev/null
+++ b/internal/test_data/generate_forged.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+
+import hashlib
+import base64
+
+# Hash server_list.json
+
+with open("server_list.json", "rb") as f:
+	b = f.read()
+
+with open("server_list.json.blake2b", "wb") as f:
+	f.write(hashlib.blake2b(b).digest())
+
+# Forge pure signature on hash, see https://github.com/jedisct1/minisign/issues/104
+
+with open("server_list.json.minisig", "rb") as f:
+	siglines = f.readlines()
+
+siglines[0] = b"untrusted comment: this signature has ED changed to Ed\n"
+sig = base64.b64decode(siglines[1])
+siglines[1] = base64.b64encode(b"Ed" + sig[2:]) + b"\n"
+
+with open("server_list.json.forged_pure.minisig", "wb") as f:
+	f.writelines(siglines)
+	# Should now work: minisign -Vm server_list.json.blake2b -x server_list.json.forged_pure.minisig -p public-key
+
+# Try to forge key ID
+
+with open("server_list.json.wrong_key.minisig", "rb") as f:
+	siglines = f.readlines()
+
+siglines[0] = b"untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key\n"
+sig_wrong = base64.b64decode(siglines[1])
+siglines[1] = base64.b64encode(sig_wrong[:2] + sig[2:2+8] + sig_wrong[2+8:]) + b"\n"
+
+with open("server_list.json.forged_keyid.minisig", "wb") as f:
+	f.writelines(siglines)
diff --git a/internal/test_data/organization_list.json b/internal/test_data/organization_list.json
new file mode 100644
index 0000000..8c53044
--- /dev/null
+++ b/internal/test_data/organization_list.json
@@ -0,0 +1 @@
+{"organization_list": [{}]}
+\ No newline at end of file
diff --git a/internal/test_data/organization_list.json.minisig b/internal/test_data/organization_list.json.minisig
new file mode 100644
index 0000000..1fa546e
--- /dev/null
+++ b/internal/test_data/organization_list.json.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0=
+trusted comment: timestamp:10	file:organization_list.json	hashed
+21zZv1DviMpLCdv1NgzLBl6d+F1ZllSNyjAquYxhTHGcs2F64bDFpqY0I0xjCHIoXly6HKqJKIBXNgud12ijCQ==
diff --git a/internal/test_data/organization_list.json.tc_servlist.minisig b/internal/test_data/organization_list.json.tc_servlist.minisig
new file mode 100644
index 0000000..a7fe41f
--- /dev/null
+++ b/internal/test_data/organization_list.json.tc_servlist.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0=
+trusted comment: timestamp:10	file:server_list.json	hashed
+R6hjM/oMS5LAvpYM4F6E7iUpnlPxqiY0QfuOnpum31CW0sUy/Ypy2PiomSwvZXKVR7keEZS/+lZjyra9TkrLDQ==
diff --git a/internal/test_data/other_list.json b/internal/test_data/other_list.json
new file mode 100644
index 0000000..25ba1a8
--- /dev/null
+++ b/internal/test_data/other_list.json
@@ -0,0 +1 @@
+{"other_list": [{}]}
+\ No newline at end of file
diff --git a/internal/test_data/other_list.json.minisig b/internal/test_data/other_list.json.minisig
new file mode 100644
index 0000000..eaa2248
--- /dev/null
+++ b/internal/test_data/other_list.json.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH366C1RnYeUAgEeX/S5A1Z9qmkV2+GJaVj06FWGd4aMLc+HS7iFMhG69u3TVD4YmzMH12rk7hQrnyCC6ex8ypIQA=
+trusted comment: timestamp:10	file:other_list.json	hashed
+26+608n+bjQF9lwNdXbIK6t5bP8dzhjNQ9hACeYJLiB2tr437Aec2GkmJh0jSiRv1QV4RYBcKJeHQBUcV2grCQ==
diff --git a/internal/test_data/public.key b/internal/test_data/public.key
new file mode 100644
index 0000000..72676d3
--- /dev/null
+++ b/internal/test_data/public.key
@@ -0,0 +1,2 @@
+untrusted comment: minisign public key DF07F868DFAB9B4C
+RWRMm6vfaPgH39iT++NBiUKZim2nDWnalgkNROovPbZdSwVFgUdKU4ac
diff --git a/internal/test_data/random.txt b/internal/test_data/random.txt
new file mode 100644
index 0000000..b6fc4c6
--- /dev/null
+++ b/internal/test_data/random.txt
@@ -0,0 +1 @@
+hello
+\ No newline at end of file
diff --git a/internal/test_data/secret.key b/internal/test_data/secret.key
new file mode 100644
index 0000000..6e4af37
--- /dev/null
+++ b/internal/test_data/secret.key
@@ -0,0 +1,2 @@
+untrusted comment: minisign encrypted secret key
+RWRTY0IyobkTOt4ugAHNTPB6zOxHgX8spW6HQWddB5IrdCPDAgsAAAACAAAAAAAAAEAAAAAAvK1S1gsOgozZHuIdLWXq1IwxnWVr+dlySiykTbO6F85HvzPtgxZ7oLcGkT/vPdskAh0SV9H2ylHlt9oarXcWNDKs2r6EcZw/qy5FsD+5uhPfxwWV4qDF+1G456tYDYID63d50CgzdO0=
diff --git a/internal/test_data/server_list.json b/internal/test_data/server_list.json
new file mode 100644
index 0000000..67c4c8d
--- /dev/null
+++ b/internal/test_data/server_list.json
@@ -0,0 +1,3 @@
+{
+"server_list": [{}]
+}
+\ No newline at end of file
diff --git a/internal/test_data/server_list.json.blake2b b/internal/test_data/server_list.json.blake2b
new file mode 100644
index 0000000..5d2ca5a
--- /dev/null
+++ b/internal/test_data/server_list.json.blake2b
diff --git a/internal/test_data/server_list.json.forged_keyid.minisig b/internal/test_data/server_list.json.forged_keyid.minisig
new file mode 100644
index 0000000..efa349d
--- /dev/null
+++ b/internal/test_data/server_list.json.forged_keyid.minisig
@@ -0,0 +1,4 @@
+untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key
+RURMm6vfaPgH35aarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE=
+trusted comment: timestamp:10	file:server_list.json	hashed
+3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA==
diff --git a/internal/test_data/server_list.json.forged_pure.minisig b/internal/test_data/server_list.json.forged_pure.minisig
new file mode 100644
index 0000000..a362504
--- /dev/null
+++ b/internal/test_data/server_list.json.forged_pure.minisig
@@ -0,0 +1,4 @@
+untrusted comment: this signature has ED changed to Ed
+RWRMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:server_list.json	hashed
+oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw==
diff --git a/internal/test_data/server_list.json.large_time.minisig b/internal/test_data/server_list.json.large_time.minisig
new file mode 100644
index 0000000..79a2a52
--- /dev/null
+++ b/internal/test_data/server_list.json.large_time.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:4300000000	file:server_list.json
+L9C58LIq7bTLf4otqW4Eb+ASL0+FM7nRRjstCBuCPtuUerFIsOqNUpDp2AQJJ4pZJKE7SkgIq2tV8/IaVpzxBQ==
diff --git a/internal/test_data/server_list.json.minisig b/internal/test_data/server_list.json.minisig
new file mode 100644
index 0000000..143585b
--- /dev/null
+++ b/internal/test_data/server_list.json.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:server_list.json	hashed
+oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw==
diff --git a/internal/test_data/server_list.json.pure.minisig b/internal/test_data/server_list.json.pure.minisig
new file mode 100644
index 0000000..57dccfc
--- /dev/null
+++ b/internal/test_data/server_list.json.pure.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RWRMm6vfaPgH3zQ/rcq2GMsNz1SYySz+olupm0I+nzNpOkPyUHTBwig3Pep4biOk/bH73bH+0sLNoZPcDk1f2Acn8JINc9MWMw4=
+trusted comment: timestamp:10	file:server_list.json
+FZ0eA96SlADsMrSOUgStQJpmUnBGpPbRvNI/oaYhKrylu6jUcXOgsRu6571mmDxYdlruSuUSlQbdmG81Qbl4AA==
diff --git a/internal/test_data/server_list.json.tc_earliertime.minisig b/internal/test_data/server_list.json.tc_earliertime.minisig
new file mode 100644
index 0000000..03da710
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_earliertime.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:9	file:server_list.json	hashed
+vw3wjLDNZWoV98/GnFv38REiaeh+wUPEZgmBUvY35CEq00jDdHiJcYRV/7zBoKv+n9TAYxZ8WKUOGWNOPonTBg==
diff --git a/internal/test_data/server_list.json.tc_emptyfile.minisig b/internal/test_data/server_list.json.tc_emptyfile.minisig
new file mode 100644
index 0000000..a7aa3ed
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_emptyfile.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:	hashed
+g4drZ91TcYXNLnIGbeH5ZIFzrs2wWB9JTXjV3Jwg9ehSC2D8lCTqw3u2Rg+PvLPRvYmXTHyuJoKNWelsSh64CA==
diff --git a/internal/test_data/server_list.json.tc_emptytime.minisig b/internal/test_data/server_list.json.tc_emptytime.minisig
new file mode 100644
index 0000000..d3ef01e
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_emptytime.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:	file:server_list.json	hashed
+lw5rnZsPi+TkZ4lOCy7bjsUgTXxG+jaGOGdHuNL95FSD2mmP9ZzEJPrJ2jnH7iYfkF3zDm0QvEUDxhEirlHBDA==
diff --git a/internal/test_data/server_list.json.tc_latertime.minisig b/internal/test_data/server_list.json.tc_latertime.minisig
new file mode 100644
index 0000000..8237123
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_latertime.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:20	file:server_list.json	 hashed
+rHcsHF2mmcZvDLreeuljVauuFULWiY8luCsxyBxxobcJkCedEDW3/RX5KeT+2NjHSFuQxkmrYOBWTY9+ECuUDQ==
diff --git a/internal/test_data/server_list.json.tc_nofile.minisig b/internal/test_data/server_list.json.tc_nofile.minisig
new file mode 100644
index 0000000..3c1dcbe
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_nofile.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	hashed
+NonaTZH7RDbsHXv85M7sL43YE7CTzs5qDRRoFYjajeqzHa+hdIuMGyemK85rAJ3prLGnMdWHkZhD4hsr3cZoDA==
diff --git a/internal/test_data/server_list.json.tc_nohashed.minisig b/internal/test_data/server_list.json.tc_nohashed.minisig
new file mode 100644
index 0000000..1d140c1
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_nohashed.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:server_list.json
+HaPGKT+Jqxjyw2Nt1GEKaPIZsAmVl/RI6p1mQ+S1LqzYicVgT5GxPs9NR6khdGGIFvo/xhVkXFceAWTRUCVQAg==
diff --git a/internal/test_data/server_list.json.tc_notime.minisig b/internal/test_data/server_list.json.tc_notime.minisig
new file mode 100644
index 0000000..39625c3
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_notime.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: file:server_list.json	hashed
+dMhb+0Y0KAO2tzI4g0ukL/VdMiLVopmXa9BS1RQBY8bYwzmebdIM4DAIZrhtO1avkpdy0prZehuhA1No6cOSAw==
diff --git a/internal/test_data/server_list.json.tc_orglist.minisig b/internal/test_data/server_list.json.tc_orglist.minisig
new file mode 100644
index 0000000..7c2a3a8
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_orglist.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:organization_list.json	hashed
+NreDM4iGEjMWs5sfaJCGZBZ7D9QLqxBKJ/fVW2lvIDr249DSUNR4ZRca8UL73e3c9eTXgHnY/ojsjDtzxDScDw==
diff --git a/internal/test_data/server_list.json.tc_otherfile.minisig b/internal/test_data/server_list.json.tc_otherfile.minisig
new file mode 100644
index 0000000..58a29b2
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_otherfile.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: timestamp:10	file:otherfile	hashed
+PfDEIMlt2aNFyOnqHb45S7xm4fIg0vfUUbqXENPxry9GEZFX14c5BGtgcL/krDg8WFJHcIA5bzYcX58kgBiZCA==
diff --git a/internal/test_data/server_list.json.tc_random.minisig b/internal/test_data/server_list.json.tc_random.minisig
new file mode 100644
index 0000000..7240980
--- /dev/null
+++ b/internal/test_data/server_list.json.tc_random.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs=
+trusted comment: random stuff
+szGsyESH0EizTXH6n0yuQg6sHTKXr+TJW/Er9ZNJYgQV+1hVM+fc5q1EmVsJlA3kW4Rt/d1p9F0ShLIIgW2vAA==
diff --git a/internal/test_data/server_list.json.wrong_key.minisig b/internal/test_data/server_list.json.wrong_key.minisig
new file mode 100644
index 0000000..5a83c0e
--- /dev/null
+++ b/internal/test_data/server_list.json.wrong_key.minisig
@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RUTQvDHvQuYCCJaarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE=
+trusted comment: timestamp:10	file:server_list.json	hashed
+3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA==
diff --git a/internal/test_data/wrong_public.key b/internal/test_data/wrong_public.key
new file mode 100644
index 0000000..aa794d4
--- /dev/null
+++ b/internal/test_data/wrong_public.key
@@ -0,0 +1,2 @@
+untrusted comment: minisign public key 802E642EF31BCD0
+RWTQvDHvQuYCCPDLi3UCXzj3BbzFM5QxUFfrp174iaqYo8lT0VaAkhOt
diff --git a/internal/test_data/wrong_secret.key b/internal/test_data/wrong_secret.key
new file mode 100644
index 0000000..68e9092
--- /dev/null
+++ b/internal/test_data/wrong_secret.key
@@ -0,0 +1,2 @@
+untrusted comment: minisign encrypted secret key
+RWRTY0Iyrc2CTG2W1ZqEq9tb94oQWTnYUy4k8boMf13478FwlDYAAAACAAAAAAAAAEAAAAAA2gFhwOtjETu5WN1LpgtJHV1dk/7466LBJ8dgO/pZoQ3LLAYxlswJHVR/N/Q1HmmKvlxWo2jNTJcARXuHHlMTEgg1MERTldE88CqETrVbvq1JaqJlAY/HMkiqNEUR3L6+5VHbYPKXlVQ=
diff --git a/internal/util.go b/internal/util.go
new file mode 100644
index 0000000..02855c2
--- /dev/null
+++ b/internal/util.go
@@ -0,0 +1,30 @@
+package internal
+
+import (
+	"crypto/rand"
+	"os"
+	"time"
+)
+
+// Creates a random byteslice of `size`
+func MakeRandomByteSlice(size int) ([]byte, error) {
+	byteSlice := make([]byte, size)
+	_, err := rand.Read(byteSlice)
+	if err != nil {
+		return nil, err
+	}
+	return byteSlice, nil
+}
+
+func GenerateTimeSeconds() int64 {
+	current := time.Now()
+	return current.Unix()
+}
+
+func EnsureDirectory(directory string) error {
+	mkdirErr := os.MkdirAll(directory, os.ModePerm)
+	if mkdirErr != nil {
+		return mkdirErr
+	}
+	return nil
+}
diff --git a/internal/verify.go b/internal/verify.go
new file mode 100644
index 0000000..9128777
--- /dev/null
+++ b/internal/verify.go
@@ -0,0 +1,205 @@
+package internal
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/jedisct1/go-minisign"
+)
+
+// getKeys returns keys taken from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys.
+func getKeys() []string {
+	return []string{
+		"RWRtBSX1alxyGX+Xn3LuZnWUT0w//B6EmTJvgaAxBMYzlQeI+jdrO6KF", // fkooman@tuxed.net, kolla@uninett.no
+		"RWQKqtqvd0R7rUDp0rWzbtYPA3towPWcLDCl7eY9pBMMI/ohCmrS0WiM", // RoSp
+	}
+}
+
+// Verify verifies the signature (.minisig file format) on signedJson.
+//
+// expectedFileName must be set to the file type to be verified, either "server_list.json" or "organization_list.json".
+// minSign must be set to the minimum UNIX timestamp (without milliseconds) for the file version.
+// This value should not be smaller than the time on the previous document verified.
+// forcePrehash indicates whether or not we want to force the use of prehashed signatures
+// In the future we want to remove this parameter and only allow prehashed signatures
+//
+// The return value will either be (true, nil) for a valid signature or (false, VerifyError) otherwise.
+//
+// Verify is a wrapper around verifyWithKeys where allowedPublicKeys is set to the list from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys.
+func Verify(signatureFileContent string, signedJson []byte, expectedFileName string, minSignTime uint64, forcePrehash bool) (bool, error) {
+	keyStrs := getKeys()
+	if extraKey != "" {
+		keyStrs = append(keyStrs, extraKey)
+		_, err := fmt.Fprintf(os.Stderr, "INSECURE TEST MODE ENABLED WITH KEY %q\n", extraKey)
+		if err != nil {
+			panic(err)
+		}
+	}
+	valid, err := verifyWithKeys(signatureFileContent, signedJson, expectedFileName, minSignTime, keyStrs, forcePrehash)
+	if err != nil {
+		var verifyCreatePublickeyError *VerifyCreatePublicKeyError
+		if errors.As(err, &verifyCreatePublickeyError) {
+			panic(err) // This should not happen unless keyStrs has an invalid key
+		}
+		return valid, err
+	}
+	return valid, nil
+}
+
+// extraKey is an extra allowed key for testing.
+var extraKey = ""
+
+// InsecureTestingSetExtraKey adds an extra allowed key for verification with Verify.
+// ONLY USE FOR TESTING. Applies to all threads. Probably not thread-safe. Do not call in parallel to Verify.
+//
+// keyString must be a Base64-encoded Minisign key, or empty to reset.
+func InsecureTestingSetExtraKey(keyString string) {
+	extraKey = keyString
+}
+
+type VerifyUnknownExpectedFilenameError struct {
+	Filename string
+	Expected string
+}
+
+func (e *VerifyUnknownExpectedFilenameError) Error() string {
+	return fmt.Sprintf("invalid filename %s, expected %s", e.Filename, e.Expected)
+}
+
+type VerifyInvalidSignatureFormatError struct {
+	Err error
+}
+
+func (e *VerifyInvalidSignatureFormatError) Error() string {
+	return fmt.Sprintf("invalid signature format, error %v", e.Err)
+}
+
+type VerifyInvalidSignatureAlgorithmError struct {
+	Algorithm       string
+	WantedAlgorithm string
+}
+
+func (e *VerifyInvalidSignatureAlgorithmError) Error() string {
+	return fmt.Sprintf("invalid signature algorithm %s, wanted %s", e.Algorithm, e.WantedAlgorithm)
+}
+
+type VerifyCreatePublicKeyError struct {
+	PublicKey string
+	Err       error
+}
+
+func (e *VerifyCreatePublicKeyError) Error() string {
+	return fmt.Sprintf("failed to create public key %s with error %v", e.PublicKey, e.Err)
+}
+
+type VerifyInvalidSignatureError struct {
+	Err error
+}
+
+func (e *VerifyInvalidSignatureError) Error() string {
+	return fmt.Sprintf("invalid signature with error %v", e.Err)
+}
+
+type VerifyInvalidTrustedCommentError struct {
+	TrustedComment string
+	Err            error
+}
+
+func (e *VerifyInvalidTrustedCommentError) Error() string {
+	return fmt.Sprintf("invalid trusted comment %s with error %v", e.TrustedComment, e.Err)
+}
+
+type VerifyWrongSigFilenameError struct {
+	Filename    string
+	SigFilename string
+}
+
+func (e *VerifyWrongSigFilenameError) Error() string {
+	return fmt.Sprintf("wrong filename %s, expected filename %s for signature", e.Filename, e.SigFilename)
+}
+
+type VerifySigTimeEarlierError struct {
+	SigTime    uint64
+	MinSigTime uint64
+}
+
+func (e *VerifySigTimeEarlierError) Error() string {
+	return fmt.Sprintf("Sign time %d is earlier than sign time %d", e.SigTime, e.MinSigTime)
+}
+
+type VerifyUnknownKeyError struct {
+	Filename string
+}
+
+func (e *VerifyUnknownKeyError) Error() string {
+	return fmt.Sprintf("signature for filename %s was created with an unknown key", e.Filename)
+}
+
+// verifyWithKeys verifies the Minisign signature in signatureFileContent (minisig file format) over the server_list/organization_list JSON in signedJson.
+//
+// Verification is performed using a matching key in allowedPublicKeys.
+// The signature is checked to be a Ed25519 Minisign (optionally Ed25519 Blake2b-512 prehashed, see forcePrehash) signature with a valid trusted comment.
+// The file type that is verified is indicated by expectedFileName, which must be one of "server_list.json"/"organization_list.json".
+// The trusted comment is checked to be of the form "timestamp:<timestamp>\tfile:<expectedFileName>", optionally suffixed by something, e.g. "\thashed".
+// The signature is checked to have a timestamp with a value of at least minSignTime, which is a UNIX timestamp without milliseconds.
+//
+// The return value will either be (true, nil) on success or (false, detailedVerifyError) on failure.
+func verifyWithKeys(signatureFileContent string, signedJson []byte, filename string, minSignTime uint64, allowedPublicKeys []string, forcePrehash bool) (bool, error) {
+	switch filename {
+	case "server_list.json", "organization_list.json":
+		break
+	default:
+		return false, &VerifyUnknownExpectedFilenameError{Filename: filename, Expected: "server_list.json or organization_list.json"}
+	}
+
+	sig, err := minisign.DecodeSignature(signatureFileContent)
+	if err != nil {
+		return false, &VerifyInvalidSignatureFormatError{Err: err}
+	}
+
+	// Check if signature is prehashed, see https://jedisct1.github.io/minisign/#signature-format
+	if forcePrehash && sig.SignatureAlgorithm != [2]byte{'E', 'D'} {
+		return false, &VerifyInvalidSignatureAlgorithmError{Algorithm: string(sig.SignatureAlgorithm[:]), WantedAlgorithm: "ED (BLAKE2b-prehashed EdDSA)"}
+	}
+
+	// Find allowed key used for signature
+	for _, keyStr := range allowedPublicKeys {
+		key, err := minisign.NewPublicKey(keyStr)
+		if err != nil {
+			// Should only happen if Verify is wrong or extraKey is invalid
+			return false, &VerifyCreatePublicKeyError{PublicKey: keyStr, Err: err}
+		}
+
+		if sig.KeyId != key.KeyId {
+			continue // Wrong key
+		}
+
+		valid, err := key.Verify(signedJson, sig)
+		if !valid {
+			return false, &VerifyInvalidSignatureError{Err: err}
+		}
+
+		// Parse trusted comment
+		var signTime uint64
+		var sigFileName string
+		// sigFileName cannot have spaces
+		_, err = fmt.Sscanf(sig.TrustedComment, "trusted comment: timestamp:%d\tfile:%s", &signTime, &sigFileName)
+		if err != nil {
+			return false, &VerifyInvalidTrustedCommentError{TrustedComment: sig.TrustedComment, Err: err}
+		}
+
+		if sigFileName != filename {
+			return false, &VerifyWrongSigFilenameError{Filename: filename, SigFilename: sigFileName}
+		}
+
+		if signTime < minSignTime {
+			return false, &VerifySigTimeEarlierError{SigTime: signTime, MinSigTime: minSignTime}
+		}
+
+		return true, nil
+	}
+
+	// No matching allowed key found
+	return false, &VerifyUnknownKeyError{Filename: filename}
+}
diff --git a/internal/verify_test.go b/internal/verify_test.go
new file mode 100644
index 0000000..f980dc2
--- /dev/null
+++ b/internal/verify_test.go
@@ -0,0 +1,140 @@
+package internal
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func Test_verifyWithKeys(t *testing.T) {
+	var err error
+
+	var pk []string
+	{
+		file, err := os.Open("test_data/public.key")
+		if err != nil {
+			panic(err)
+		}
+		defer file.Close()
+
+		// Get last line (key string) from file
+		scanner := bufio.NewScanner(file)
+		for i := 0; i < 2; i++ {
+			if !scanner.Scan() {
+				panic(scanner.Err())
+			}
+		}
+		pk = []string{scanner.Text()}
+	}
+
+	var (
+		verifyCreatePublicKeyError           *VerifyCreatePublicKeyError
+		verifyInvalidSignatureAlgorithmError *VerifyInvalidSignatureAlgorithmError
+		verifyWrongSigFilenameError          *VerifyWrongSigFilenameError
+		verifyInvalidTrustedCommentError     *VerifyInvalidTrustedCommentError
+		verifyInvalidSignatureFormatError    *VerifyInvalidSignatureFormatError
+		verifyInvalidSignatureError          *VerifyInvalidSignatureError
+		verifySigTimeEarlierError            *VerifySigTimeEarlierError
+		verifyUnknownExpectedFilenameError   *VerifyUnknownExpectedFilenameError
+		verifyUnknownKeyError                *VerifyUnknownKeyError
+	)
+
+	tests := []struct {
+		expectedErr      interface{}
+		testName         string
+		signatureFile    string
+		jsonFile         string
+		expectedFileName string
+		minSignTime      uint64
+		allowedPks       []string
+	}{
+		{&verifyInvalidSignatureAlgorithmError, "pure", "server_list.json.pure.minisig", "server_list.json", "server_list.json", 10, pk},
+
+		{nil, "valid server_list", "server_list.json.minisig", "server_list.json", "server_list.json", 10, pk},
+		{nil, "TC no hashed", "server_list.json.tc_nohashed.minisig", "server_list.json", "server_list.json", 10, pk},
+		{nil, "TC later time", "server_list.json.tc_latertime.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "server_list TC file:organization_list", "server_list.json.tc_orglist.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "organization_list as server_list", "organization_list.json.minisig", "organization_list.json", "server_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "TC file:otherfile", "server_list.json.tc_otherfile.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifySigTimeEarlierError, "TC no file", "server_list.json.tc_nofile.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifySigTimeEarlierError, "TC no time", "server_list.json.tc_notime.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifySigTimeEarlierError, "TC empty time", "server_list.json.tc_emptytime.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifyInvalidSignatureFormatError, "TC empty file", "server_list.json.tc_emptyfile.minisig", "server_list.json", "server_list.json", 10, pk},
+		{&verifyInvalidTrustedCommentError, "TC random", "server_list.json.tc_random.minisig", "server_list.json", "server_list.json", 10, pk},
+		{nil, "large time", "server_list.json.large_time.minisig", "server_list.json", "server_list.json", 43e8, pk},
+		{nil, "lower min time", "server_list.json.minisig", "server_list.json", "server_list.json", 5, pk},
+		{&verifySigTimeEarlierError, "higher min time", "server_list.json.minisig", "server_list.json", "server_list.json", 11, pk},
+
+		{nil, "valid organization_list", "organization_list.json.minisig", "organization_list.json", "organization_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "organization_list TC file:server_list", "organization_list.json.tc_servlist.minisig", "organization_list.json", "organization_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "server_list as organization_list", "server_list.json.minisig", "server_list.json", "organization_list.json", 10, pk},
+
+		{&verifyUnknownExpectedFilenameError, "valid other_list", "other_list.json.minisig", "other_list.json", "other_list.json", 10, pk},
+		{&verifyWrongSigFilenameError, "other_list as server_list", "other_list.json.minisig", "other_list.json", "server_list.json", 10, pk},
+
+		{&verifyInvalidSignatureFormatError, "invalid signature file", "random.txt", "server_list.json", "server_list.json", 10, pk},
+		{&verifyInvalidSignatureFormatError, "empty signature file", "empty", "server_list.json", "server_list.json", 10, pk},
+
+		{&verifyUnknownKeyError, "wrong key", "server_list.json.wrong_key.minisig", "server_list.json", "server_list.json", 10, pk},
+
+		{&verifyInvalidSignatureAlgorithmError, "forged pure signature", "server_list.json.forged_pure.minisig", "server_list.json.blake2b", "server_list.json", 10, pk},
+		{&verifyInvalidSignatureError, "forged key ID", "server_list.json.forged_keyid.minisig", "server_list.json", "server_list.json", 10, pk},
+
+		{&verifyUnknownKeyError, "no allowed keys", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{}},
+		{nil, "multiple allowed keys 1", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{
+			pk[0], "RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ",
+		}},
+		{nil, "multiple allowed keys 2", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{
+			"RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ", pk[0],
+		}},
+		{&verifyCreatePublicKeyError, "invalid allowed key", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{"AAA"}},
+	}
+
+	// Cache file contents in map, mapping file names to contents
+	files := map[string][]byte{}
+	loadFile := func(name string) {
+		content, loaded := files[name]
+		if !loaded {
+			content, err = ioutil.ReadFile("test_data/" + name)
+			if err != nil {
+				panic(err)
+			}
+			files[name] = content
+		}
+	}
+	for _, test := range tests {
+		loadFile(test.signatureFile)
+		loadFile(test.jsonFile)
+	}
+
+	forcePrehash := true
+	for _, tt := range tests {
+		t.Run(tt.testName, func(t *testing.T) {
+			t.Parallel()
+			valid, err := verifyWithKeys(string(files[tt.signatureFile]), files[tt.jsonFile],
+				tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash)
+			compareResults(t, valid, err, tt.expectedErr, func() string {
+				return fmt.Sprintf("verifyWithKeys(%q, %q, %q, %v, %v, %t)",
+					tt.signatureFile, tt.jsonFile, tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash)
+			})
+		})
+	}
+}
+
+// compareResults compares returned ret, err from a verify function with expected error code expected.
+// callStr is called to get the formatted parameters passed to the function.
+func compareResults(t *testing.T, ret bool, err error, expectedErr interface{}, callStr func() string) {
+	// different error returned
+	if expectedErr != nil && !errors.As(err, expectedErr) {
+		t.Errorf("%v\nerror %T = %v, wantErr %T", callStr(), err, err, expectedErr)
+		return
+	}
+	// different boolean returned
+	expectedBool := expectedErr == nil
+	if ret != expectedBool {
+		t.Errorf("%v\n= %v, want %v", callStr(), ret, expectedBool)
+	}
+}
diff --git a/internal/wireguard.go b/internal/wireguard.go
new file mode 100644
index 0000000..4ec12bd
--- /dev/null
+++ b/internal/wireguard.go
@@ -0,0 +1,52 @@
+package internal
+
+import (
+	"fmt"
+	"regexp"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func wireguardGenerateKey() (wgtypes.Key, error) {
+	key, error := wgtypes.GeneratePrivateKey()
+	return key, error
+}
+
+// FIXME: Instead of doing a regex replace, decide if we should use a parser
+func wireguardConfigAddKey(config string, key wgtypes.Key) string {
+	interface_section := "[Interface]"
+	interface_section_escaped := regexp.QuoteMeta(interface_section)
+
+	// (?m) enables multi line mode
+	// ^ match from beginning of line
+	// $ match till end of line
+	// So it matches [Interface] section exactly
+	interface_re := regexp.MustCompile(fmt.Sprintf("(?m)^%s$", interface_section_escaped))
+	to_replace := fmt.Sprintf("%s\nPrivateKey = %s", interface_section, key.String())
+	return interface_re.ReplaceAllString(config, to_replace)
+}
+
+func (server *Server) WireguardGetConfig() (string, error) {
+	profile_id := server.Profiles.Current
+	wireguardKey, wireguardErr := wireguardGenerateKey()
+
+	if wireguardErr != nil {
+		return "", wireguardErr
+	}
+
+	wireguardPublicKey := wireguardKey.PublicKey().String()
+	configWireguard, _, configErr := server.APIConnectWireguard(profile_id, wireguardPublicKey)
+
+	if configErr != nil {
+		return "", configErr
+	}
+
+	// FIXME: Store expiry
+	// This needs the go code a way to identify a connection
+	// Use the uuid of the connection e.g. on Linux
+	// This needs the client code to call the go code
+
+	configWireguardKey := wireguardConfigAddKey(configWireguard, wireguardKey)
+
+	return configWireguardKey, nil
+}
author	jwijenbergh <jeroenwijenbergh@protonmail.com>	2022-04-22 16:29:59 +0200
committer	jwijenbergh <jeroenwijenbergh@protonmail.com>	2022-04-22 16:29:59 +0200
commit	b1d92b395322f2164ccfb44b0f7caebbaece6b62 (patch)
tree	2133e4045b4af4d07a98674b7ae3a234670f0305 /internal
parent	3a4ae2942b43923ff98fd2eca8878c3cf145686c (diff)