On Mon, Jan 12, 2015 at 13:54 +0100, Arne Schwabe wrote: > > Am 12.01.15 12:45, schrieb David Woodhouse: > > On Mon, 2015-01-12 at 11:51 +0300, Vasily Kulikov wrote: > >> This patch adds support for using certificates stored in the Mac OSX > >> Keychain to authenticate with the OpenVPN server. This works with > >> certificates stored on the computer as well as certificates on hardware > >> tokens that support Apple's tokend interface. The patch is based on > >> the Windows Crypto API certificate functionality that currently exists > >> in OpenVPN. > > I wonder why only certifcates and not ca certifcates. It would be > logical to get all certifcates from the keychain.
A user tells keychain-mcd which keychain identity to use for openvpn. The identity contains a certificate and a private key (might be non-extractable). CA is not related to this identity. It can be added to keychain-mcd and openvpn but a user should pass another certificate match string for CA. > >> > >> This patch version implements management client which handles rsa_sign > >> command for RSA offloading. > > FWIW we really ought to be supporting key types other than RSA by now. > > But I appreciate that's not a new limitation and not your fault. > > Well although rsa-sign at the momemnt probably only supports RSA (it is > implemented using rsa_method iirc) the API is not rsa specific. It is > just: "Please sign this hash with the private key". In the case of an > RSA certificate this happens to be RSA encrypt in ECB mode with PKCS#1 > padding. Right. And my patch is not specific to RSA too. It uses generic Mac OS X API which should work with any key type: SecIdentityCopyPrivateKey() SecKeyRawSign() -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments