mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
Allow specifying a PIN and SRK PIN in the config file
That pin will be used to decrypt encrypted key files as well.
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -94,6 +94,45 @@ socket-file = /var/run/ocserv-socket
|
||||
# The default server directory. Does not require any devices present.
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
# The key and the certificates of the server
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
#
|
||||
# The server-cert file may contain a single certificate, or
|
||||
# a sorted certificate chain.
|
||||
#
|
||||
# There may be multiple server-cert and server-key directives,
|
||||
# but each key should correspond to the preceding certificate.
|
||||
server-cert = ../tests/server-cert.pem
|
||||
server-key = ../tests/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
# Can be generated using:
|
||||
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||
#dh-params = /path/to/dh.pem
|
||||
|
||||
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only, and is the
|
||||
# storage root key.
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The password or PIN needed to unlock the key in server-key file.
|
||||
# Only needed if the file is encrypted or a PKCS #11 object. This
|
||||
# is an alternative method to pin-file.
|
||||
#key-pin = 1234
|
||||
|
||||
# The SRK PIN for TPM.
|
||||
# This is an alternative method to srk-pin-file.
|
||||
#srk-pin = 1234
|
||||
|
||||
# The Certificate Authority that will be used to verify
|
||||
# client certificates (public keys) if certificate authentication
|
||||
# is set.
|
||||
ca-cert = ../tests/ca.pem
|
||||
|
||||
|
||||
### All configuration options below this line are reloaded on a SIGHUP.
|
||||
### The options above, will remain unchanged.
|
||||
@@ -150,25 +189,6 @@ mobile-dpd = 1800
|
||||
# MTU discovery (DPD must be enabled)
|
||||
try-mtu-discovery = false
|
||||
|
||||
# The key and the certificates of the server
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
#
|
||||
# The server-cert file may contain a single certificate, or
|
||||
# a sorted certificate chain.
|
||||
#
|
||||
# There may be multiple server-cert and server-key directives,
|
||||
# but each key should correspond to the preceding certificate.
|
||||
server-cert = ../tests/server-cert.pem
|
||||
server-key = ../tests/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
# Can be generated using:
|
||||
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||
#dh-params = /path/to/dh.pem
|
||||
|
||||
# If you have a certificate from a CA that provides an OCSP
|
||||
# service you may provide a fresh OCSP status response within
|
||||
# the TLS handshake. That will prevent the client from connecting
|
||||
@@ -178,17 +198,6 @@ server-key = ../tests/server-key.pem
|
||||
# Make sure that you replace the following file in an atomic way.
|
||||
#ocsp-response = /path/to/ocsp.der
|
||||
|
||||
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only, and is the
|
||||
# storage root key.
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The Certificate Authority that will be used to verify
|
||||
# client certificates (public keys) if certificate authentication
|
||||
# is set.
|
||||
ca-cert = ../tests/ca.pem
|
||||
|
||||
# The object identifier that will be used to read the user ID in the client
|
||||
# certificate. The object identifier should be part of the certificate's DN
|
||||
# Useful OIDs are:
|
||||
|
||||
@@ -93,7 +93,9 @@ static struct cfg_options available_options[] = {
|
||||
{ .name = "server-key", .type = OPTION_STRING, .mandatory = 1 },
|
||||
{ .name = "dh-params", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "pin-file", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "key-pin", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "srk-pin-file", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "srk-pin", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "user-profile", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "ca-cert", .type = OPTION_STRING, .mandatory = 0 },
|
||||
{ .name = "default-domain", .type = OPTION_STRING, .mandatory = 0 },
|
||||
@@ -660,6 +662,9 @@ size_t urlfw_size = 0;
|
||||
READ_STRING("srk-pin-file", perm_config->srk_pin_file);
|
||||
READ_STRING("ca-cert", perm_config->ca);
|
||||
|
||||
READ_STRING("key-pin", perm_config->key_pin);
|
||||
READ_STRING("srk-pin", perm_config->srk_pin);
|
||||
|
||||
PREAD_STRING(perm_config, "socket-file", perm_config->socket_file_prefix);
|
||||
PREAD_STRING(perm_config, "occtl-socket-file", perm_config->occtl_socket_file);
|
||||
if (perm_config->occtl_socket_file == NULL)
|
||||
|
||||
@@ -190,12 +190,21 @@ server-key = /path/to/key.pem
|
||||
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||
#dh-params = /path/to/dh.pem
|
||||
|
||||
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only, and is the
|
||||
# storage root key.
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The password or PIN needed to unlock the key in server-key file.
|
||||
# Only needed if the file is encrypted or a PKCS #11 object. This
|
||||
# is an alternative method to pin-file.
|
||||
#key-pin = 1234
|
||||
|
||||
# The SRK PIN for TPM.
|
||||
# This is an alternative method to srk-pin-file.
|
||||
#srk-pin = 1234
|
||||
|
||||
# The Certificate Authority that will be used to verify
|
||||
# client certificates (public keys) if certificate authentication
|
||||
# is set.
|
||||
|
||||
@@ -165,6 +165,14 @@ int load_pins(struct perm_cfg_st *config, struct pin_st *s)
|
||||
s->pin[ret] = 0;
|
||||
}
|
||||
|
||||
if (config->key_pin != NULL) {
|
||||
strlcpy(s->pin, config->key_pin, sizeof(s->pin));
|
||||
}
|
||||
|
||||
if (config->srk_pin != NULL) {
|
||||
strlcpy(s->srk_pin, config->srk_pin, sizeof(s->srk_pin));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -689,6 +697,12 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
|
||||
gnutls_privkey_import_x509_raw(sec->key[i], &data,
|
||||
GNUTLS_X509_FMT_PEM,
|
||||
NULL, 0);
|
||||
if (ret == GNUTLS_E_DECRYPTION_FAILED && pins.pin[0]) {
|
||||
ret =
|
||||
gnutls_privkey_import_x509_raw(sec->key[i], &data,
|
||||
GNUTLS_X509_FMT_PEM,
|
||||
pins.pin, 0);
|
||||
}
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
gnutls_free(data.data);
|
||||
|
||||
Reference in New Issue
Block a user