Support IPsec with certificates.

TEST=ipsec_manager_test and invoking l2tpipsec_vpn on system with custom

Create a request:

pkcs11-tool --module=/usr/lib/opencryptoki/ -l -k -d 07 -a vpn --key-type rsa:2048

Copy /etc/entd/openssl.conf and update it with the user PIN.

openssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj "/CN=localhost" -key slot_0-id_07

(Sign the requset on the VPN server.)

Install the new certificate:

openssl x509 -in tpm.pem -out tpm.der -outform DER

pkcs11-tool --module=/usr/lib/opencryptoki/ -l -d 07 -a vpn -w ~/tpm.der -y cert

Set the permissions:

add pkcs11 to ipsec in /etc/group
chgrp pkcs11 /home/chronos/user
chmod 750 /home/chronos/user
chmod 750 /home/chronos/user/.tpm
cd /home/chronos/user/.tpm
chmod 640 NVTOK.DAT P*
chmod 640 *
chgrp pkcs11 *
cd /var/lib/opencryptoki/tpm
ln -s /home/chronos/user/.tpm ipsec
chgrp pkcs11 ipsec

Change-Id: Idab3e80824562a97c16adc514211e267354b6f96
6 files changed