Hi,
On Sun, Feb 15, 2015 at 23:01 +0100, Gert Doering wrote:
> Hi,
>
> On Sun, Feb 15, 2015 at 10:05:07PM +0100, Arne Schwabe wrote:
> > Am 24.01.15 um 18:04 schrieb Vasily Kulikov:
> [..]
> > > OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when
> > > --management-external-cert is used. It is implemented as a multiline
> > > command very similar to an existing 'RSA-SIGN' command.
> > >
> > > The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.
> > ACK from me to the OpenVPN part. I also tested the patch in OpenVPN for
> > Android and the RSA-SIGN still works as expected. I have not reviewed
> > the OS X contrib program (other than a quick glance at the code) but I
> > think marking it as contrib it should be allowed to be still included.
>
> I hear Arne, and James also ACKed this ("based on testing", which Arne
> did).
>
> I'm not merging it yet, though - Vasily, please provide a v4 of the patch
> that adds:
>
> - documentation of --management-external-cert in doc/openvpn.8
> - documentation of the new management command and response in
> doc/management-notes.txt
> - fix the typos in the options here (please fix the other one, too):
>
> @@ -2221,6 +2230,8 @@ options_postprocess_verify_ce (const struct options
> *optio
> ns, const struct conne
> #ifdef MANAGMENT_EXTERNAL_KEY
> if (options->management_flags & MF_EXTERNAL_KEY)
> msg(M_USAGE, "Parameter --external-management-key cannot be used
> whe
> n --pkcs12 is also specified.");
> + if (options->management_flags & MF_EXTERNAL_CERT)
> + msg(M_USAGE, "Parameter --external-management-cert cannot be used
> wh
> en --pkcs12 is also specified.");
> #endif
> #endif
> }
>
> ... it's "--management-external-*", not "--external-management-*".
>
> With that, I'll merge right away :-)
I've implemented the changes above, but don't send the patch yet. While
talking with Jonathan Bullard we identified that with the current design
it is very hard to implement a simple identity template passing
independently of GUI implementation. Currently identity template is
passed to keychain-mcd leaving aside openvpn itself and thus the openvpn
configuration file doesn't contain the identity template. Tunnelblick or
another GUI has to start keychain-mcd and pass the identity template
itself. The way a user notifies TB/openvpn what identity template to use
is TB-dependent: it can be e.g. storing XXX-keychain-identityTemplate
preference in Info.plist file inside .tblk directory. Other GUI might
use a different configuration method and thus store the identity template
in some other place. It would be better to have a single
GUI-independent way of configuring keychain-mcd.
Jonathan suggested the following method. --management-external-cert has
a single argument, the identity template. This template is passed as-is
to management interface client as an argument to NEED-CERTIFICATE
request. Management interface client parses this string and chooses an
identity based on the argument. In this case the argument is an opaque
value which is simply passed to a management interface client, which
handles it as it likes (or ignores). Also an argument can be used with
an arbitrary management interface client, not only keychain-mcd.
We can restrict a bit a format of XXX in '--management-external-cert XXX'
option argument. It can consist of two parts, e.g.:
--management-external-cert 'macosx-keychain:SUBJECT:c=US'
The first part is a hint how management client should handle the
argument. In case of keychain-mcd it parses the argument, checks
whether it starts with 'macosx-keychain:', and uses the end of the
argument as an identity template.
If the change is implemented openvpn config can contain all information
needed to start openvpn connection. A user has to start openvpn with
the config file and to start keychain-mcd. Specifically it would contain a
line like the following:
management-external-cert 'macosx-keychain:SUBJECT:c=US'
With the approach in patch v3 a user has to start openvpn with the
config file, start keychain-mcd, and pass identity template as an
argument to keychain-mcd.
What do you think of the change?
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
