)]}' { "commit": "4809f61a6835f95c0e70c5d138a2a38d56542b1c", "tree": "4f2d827c9eeba0d33840aa6b3d95162c0f52c461", "parents": [ "c1578ee8060bae5b43ec792a41cfd5359773f8cc" ], "author": { "name": "James Simonsen", "email": "simonjam@chromium.org", "time": "Wed May 04 18:39:44 2011" }, "committer": { "name": "James Simonsen", "email": "simonjam@chromium.org", "time": "Thu May 05 00:02:12 2011" }, "message": "Support IPsec with certificates.\n\nBUG\u003d12695\nTEST\u003dipsec_manager_test and invoking l2tpipsec_vpn on system with custom\npermissions.\n\nCreate a request:\n\npkcs11-tool --module\u003d/usr/lib/opencryptoki/libopencryptoki.so.0 -l -k -d 07 -a vpn --key-type rsa:2048\n\nCopy /etc/entd/openssl.conf and update it with the user PIN.\n\nopenssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj \"/CN\u003dlocalhost\" -key slot_0-id_07\n\n(Sign the requset on the VPN server.)\n\nInstall the new certificate:\n\nopenssl x509 -in tpm.pem -out tpm.der -outform DER\n\npkcs11-tool --module\u003d/usr/lib/opencryptoki/libopencryptoki.so.0 -l -d 07 -a vpn -w ~/tpm.der -y cert\n\nSet the permissions:\n\nadd pkcs11 to ipsec in /etc/group\nchgrp pkcs11 /home/chronos/user\nchmod 750 /home/chronos/user\nchmod 750 /home/chronos/user/.tpm\ncd /home/chronos/user/.tpm\nchmod 640 NVTOK.DAT P*\ncd TOK_OBJ\nchmod 640 *\nchgrp pkcs11 *\ncd /var/lib/opencryptoki/tpm\nln -s /home/chronos/user/.tpm ipsec\nchgrp pkcs11 ipsec\n\nChange-Id: Idab3e80824562a97c16adc514211e267354b6f96\n", "tree_diff": [ { "type": "modify", "old_id": "c2f44e411da79d93fd07e58e8cf1e52a3fa1634a", "old_mode": 33188, "old_path": "Makefile", "new_id": "5c77a38d2c9dea6f1fd75e42666539b4a6b80476", "new_mode": 33188, "new_path": "Makefile" }, { "type": "modify", "old_id": "73e39660a6b8549115ac23830071a387e6a04642", "old_mode": 33188, "old_path": "ipsec_manager.cc", "new_id": "4b2bb004fc07932e3b94568bbe4d45e79414db6f", "new_mode": 33188, "new_path": "ipsec_manager.cc" }, { "type": "modify", "old_id": "7334405778b75ada9d6a32785b90aaef370d6822", "old_mode": 33188, "old_path": "ipsec_manager.h", "new_id": "038493b92eda319773ea507c2c3730134a647ba3", "new_mode": 33188, "new_path": "ipsec_manager.h" }, { "type": "modify", "old_id": "0e67a9cda054cb295941d1b27b3f73c0e7523cb5", "old_mode": 33188, "old_path": "ipsec_manager_test.cc", "new_id": "f27a45a2d16957ac8ec7d66f719d07d56f6aae0b", "new_mode": 33188, "new_path": "ipsec_manager_test.cc" }, { "type": "modify", "old_id": "d9264dcec233f7a63d957617d04b04c689743712", "old_mode": 33188, "old_path": "l2tpipsec_vpn.cc", "new_id": "54c362fba94249f69c28cf37f47594a0da01d4b1", "new_mode": 33188, "new_path": "l2tpipsec_vpn.cc" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "30c18f45d07a47e376bb026729b6be1785ce880b", "new_mode": 33188, "new_path": "testdata/cacert.der" } ] }