From 3a5d46653d0bc0bc9d9ff7f67bcd4f594aa19d80 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 20 Mar 2022 02:49:09 -0500
Subject: [PATCH] Update IKEv2 script

- Add a workaround for Ubuntu 22.04 "password is incorrect" issue
  when importing IKEv2 client config files into iOS and macOS devices.
- Ubuntu 22.04 uses OpenSSL 3, which has a default "openssl pkcs12"
  encoding algorithm that is incompatible with iOS and macOS devices.
  Ref: https://developer.apple.com/forums/thread/697030?answerId=701291022#701291022
---
 extras/ikev2setup.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 34c1c35..7c089d3 100755
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -745,6 +745,22 @@ export_p12_file() {
         -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
     fi
     /bin/rm -f "$pem_file"
+  elif [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bookwormsid" ]; then
+    ca_crt="$export_dir$client_name.ca.crt"
+    client_crt="$export_dir$client_name.client.crt"
+    client_key="$export_dir$client_name.client.key"
+    pem_file="$export_dir$client_name.temp.pem"
+    openssl pkcs12 -in "$p12_file_enc" -passin "pass:$p12_password" -cacerts -nokeys -out "$ca_crt" || exit 1
+    openssl pkcs12 -in "$p12_file_enc" -passin "pass:$p12_password" -clcerts -nokeys -out "$client_crt" || exit 1
+    openssl pkcs12 -in "$p12_file_enc" -passin "pass:$p12_password" -passout "pass:$p12_password" -nocerts -out "$client_key" || exit 1
+    cat "$client_key" "$client_crt" "$ca_crt" > "$pem_file"
+    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
+      -legacy -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
+    if [ "$use_config_password" = "0" ]; then
+      openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
+        -legacy -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
+    fi
+    /bin/rm -f "$ca_crt" "$client_crt" "$client_key" "$pem_file"
   elif [ "$use_config_password" = "0" ]; then
     pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
   fi