Re: Adding basic OpenVPN PKCS#11 support

From: Martin Forssen <maf recordedfuture com>
To: Thomas Haller <thaller redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Adding basic OpenVPN PKCS#11 support
Date: Wed, 29 May 2019 16:23:28 +0200

I did a first patch which used a naive approach and just added support for specifying the pkcs11-providers and pkcs11-id in the GUI. This works but is not elegant or user friendly and requires that openvpn plays nicely with the desired pkcs#11 provider. In practice this is often a big problem.

After some more reading and investigating I think it is better to do all the pkcs#11 operations outside openvpn. This is what the openvpn developers seem to desire and it neatly sidesteps all the issues we have with bad support for various pkcs#11 libraries in openvpn. Openvpn already supports offloading these operations via the management interface.

We can use the builtin pkcs#11 support in the cert_chooser so the UI is fairly simple to implement. The nm-openvpn-service is already responsible for talking to the management interface of openvpn so that has to support the new requests. But the question is where to put the code which does the actual pkcs#11 requests. My initial idea is to use the Gnome pkcs11 support and put teh code in the auth-dialog program. Does that sound like a good idea?

On Tue, Apr 2, 2019 at 7:39 PM Thomas Haller <thaller redhat com> wrote:

On Tue, 2019-03-26 at 08:41 +0100, Martin Forssen via networkmanager-
list wrote:
> Hello,
>
> I have the need to run OpenVPN with PKCS#11 hardware certificates on
> Linux. This does currently not seem to be possible with
> NetworkManager.
>
> I have looked around a bit and realize this is a can of worms. The
> nice clean solution would require changes to OpenVPN, which so far
> seems to be hard to get merged.
>
> So my plan right now is to take the simplest possible approach and
> just add text fields where one can enter pkcs11-providers and pkcs11-
> id (and of course support for importing these values).
>
> My question now is if I were to submit patches which does this, is
> there any chance of them getting merged (assuming they follow coding
> standard etc)?
>

Hi,

work on this would be great.

Lubomir was working on that, quite a while ago.

Some work in progess is still at [1]. Note this also requires support
from NetworkManager ([2]).

[1] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/commits/lr/p11-forward
[2] https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=lr/p11-forward

best,
Thomas

Martin Forssén

Director of Information Security

Recorded Future

+46 760 252357

maf recordedfuture com

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]