Google Git
Sign in
chromium / chromiumos / platform / vpn-manager / 4809f61a6835f95c0e70c5d138a2a38d56542b1c
commit4809f61a6835f95c0e70c5d138a2a38d56542b1c[log] [tgz]
authorJames Simonsen <simonjam@chromium.org>Wed May 04 18:39:44 2011
committerJames Simonsen <simonjam@chromium.org>Thu May 05 00:02:12 2011
tree4f2d827c9eeba0d33840aa6b3d95162c0f52c461
parentc1578ee8060bae5b43ec792a41cfd5359773f8cc [diff]
Support IPsec with certificates.

BUG=12695
TEST=ipsec_manager_test and invoking l2tpipsec_vpn on system with custom
permissions.

Create a request:

pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -k -d 07 -a vpn --key-type rsa:2048

Copy /etc/entd/openssl.conf and update it with the user PIN.

openssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj "/CN=localhost" -key slot_0-id_07

(Sign the requset on the VPN server.)

Install the new certificate:

openssl x509 -in tpm.pem -out tpm.der -outform DER

pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -d 07 -a vpn -w ~/tpm.der -y cert

Set the permissions:

add pkcs11 to ipsec in /etc/group
chgrp pkcs11 /home/chronos/user
chmod 750 /home/chronos/user
chmod 750 /home/chronos/user/.tpm
cd /home/chronos/user/.tpm
chmod 640 NVTOK.DAT P*
cd TOK_OBJ
chmod 640 *
chgrp pkcs11 *
cd /var/lib/opencryptoki/tpm
ln -s /home/chronos/user/.tpm ipsec
chgrp pkcs11 ipsec

Change-Id: Idab3e80824562a97c16adc514211e267354b6f96
6 files changed
tree: 4f2d827c9eeba0d33840aa6b3d95162c0f52c461
  1. bin/
  2. testdata/
  3. inherit-review-settings-ok
  4. ipsec_manager.cc
  5. ipsec_manager.h
  6. ipsec_manager_test.cc
  7. l2tp_manager.cc
  8. l2tp_manager.h
  9. l2tp_manager_test.cc
  10. l2tpipsec_vpn.cc
  11. LICENSE
  12. Makefile
  13. README
  14. service_manager.cc
  15. service_manager.h
  16. service_manager_test.cc