On Mon, Jan 12, 2015 at 13:54 +0100, Arne Schwabe wrote:
>
> Am 12.01.15 12:45, schrieb David Woodhouse:
> > On Mon, 2015-01-12 at 11:51 +0300, Vasily Kulikov wrote:
> >> This patch adds support for using certificates stored in the Mac OSX
> >> Keychain to authenticate with the OpenVPN server. This works with
> >> certificates stored on the computer as well as certificates on hardware
> >> tokens that support Apple's tokend interface. The patch is based on
> >> the Windows Crypto API certificate functionality that currently exists
> >> in OpenVPN.
>
> I wonder why only certifcates and not ca certifcates. It would be
> logical to get all certifcates from the keychain.
A user tells keychain-mcd which keychain identity to use for openvpn.
The identity contains a certificate and a private key (might be
non-extractable). CA is not related to this identity. It can be added
to keychain-mcd and openvpn but a user should pass another certificate
match string for CA.
> >>
> >> This patch version implements management client which handles rsa_sign
> >> command for RSA offloading.
> > FWIW we really ought to be supporting key types other than RSA by now.
> > But I appreciate that's not a new limitation and not your fault.
>
> Well although rsa-sign at the momemnt probably only supports RSA (it is
> implemented using rsa_method iirc) the API is not rsa specific. It is
> just: "Please sign this hash with the private key". In the case of an
> RSA certificate this happens to be RSA encrypt in ECB mode with PKCS#1
> padding.
Right. And my patch is not specific to RSA too. It uses generic Mac OS X
API which should work with any key type:
SecIdentityCopyPrivateKey()
SecKeyRawSign()
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
