Support IPsec with certificates.
BUG=12695
TEST=ipsec_manager_test and invoking l2tpipsec_vpn on system with custom
permissions.
Create a request:
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -k -d 07 -a vpn --key-type rsa:2048
Copy /etc/entd/openssl.conf and update it with the user PIN.
openssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj "/CN=localhost" -key slot_0-id_07
(Sign the requset on the VPN server.)
Install the new certificate:
openssl x509 -in tpm.pem -out tpm.der -outform DER
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -d 07 -a vpn -w ~/tpm.der -y cert
Set the permissions:
add pkcs11 to ipsec in /etc/group
chgrp pkcs11 /home/chronos/user
chmod 750 /home/chronos/user
chmod 750 /home/chronos/user/.tpm
cd /home/chronos/user/.tpm
chmod 640 NVTOK.DAT P*
cd TOK_OBJ
chmod 640 *
chgrp pkcs11 *
cd /var/lib/opencryptoki/tpm
ln -s /home/chronos/user/.tpm ipsec
chgrp pkcs11 ipsec
Change-Id: Idab3e80824562a97c16adc514211e267354b6f96
6 files changed