Am 12.01.15 12:45, schrieb David Woodhouse: > On Mon, 2015-01-12 at 11:51 +0300, Vasily Kulikov wrote: >> This patch adds support for using certificates stored in the Mac OSX >> Keychain to authenticate with the OpenVPN server. This works with >> certificates stored on the computer as well as certificates on hardware >> tokens that support Apple's tokend interface. The patch is based on >> the Windows Crypto API certificate functionality that currently exists >> in OpenVPN.
I wonder why only certifcates and not ca certifcates. It would be logical to get all certifcates from the keychain. >> >> This patch version implements management client which handles rsa_sign >> command for RSA offloading. > FWIW we really ought to be supporting key types other than RSA by now. > But I appreciate that's not a new limitation and not your fault. Well although rsa-sign at the momemnt probably only supports RSA (it is implemented using rsa_method iirc) the API is not rsa specific. It is just: "Please sign this hash with the private key". In the case of an RSA certificate this happens to be RSA encrypt in ECB mode with PKCS#1 padding. I am not sure if there is an equivalent of rsa_method for EC in OpenSSL or if you have to use the engine functionality of OpenSSL for EC. > It would be interesting to get feedback from those working on > NetworkManager-openvpn, which may well want to use this API to allow key > operations to happen in the user's session while OpenVPN is running as > root.
