mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-19 19:42:30 +02:00
OpenVPN is an open source VPN daemon
3512e8d3ad
OpenSSL 3 has providers which can load keys and certificates from various key stores and HSMs using a provider-specific URI. While certificates are generally exportable, and some providers support a PEM file that acts as a proxy for non-exportable private keys, not all providers are expected to do so. A generic capability to read keys and certificates from URIs appears useful. This patch does this by extending the scope of the argument for "--key" and "--cert" options to include URIs. Many of OpenSSL 3 utilities also work the same way: e.g., the "-in" option for "openssl pkey" or "openssl x509" could be a filename or URI. Other applications have started emulating this behaviour: e.g., pkcs11: URI works as an alternative to a file name for certificates and keys in apache. Even for files, this has a nice side effect that non-PEM files get transparently parsed. E.g., a pkcs12 file could be used in place of a PEM file without needing any extra options. This is backward compatible as OpenSSL falls back to treating URIs with no scheme or unrecognized scheme as file names. Parsing of inlined keys and certificates is unchanged (those should be in PEM format). Specification of URIs that OpenSSL accepts depends on the providers that support them. Some are standard URIs such as "file:/path", but providers may support non-standard URIs with arbitrary scheme names. OpenSSL by itself recognizes only file URI. However, the implementation is agnostic to the URI specification as parsing is done by the provider that supports the URI. A new URI gets automatically recognized when the provider that supports it is loaded. Below are some usage examples: Relative or absolute path to a file or as a URI "file:/absolute/path": --key mykey.pem (same as what is currently supported) --key file:/path/to/mykey.pem --cert file:/path/to/mycert.pem Other file types supported by OpenSSL would also work: --key client.p12 --cert client.p12 pkcs11-provider supports "pkcs11:" URI (RFC 7512): --key pkcs11:token=Foo;id=%01 --cert pkcs11:token=Foo;id=%01 tpm2-provider recognizes a custom URI "handle:<hex>": --key handle:0x81000000 These examples assume that required providers, if any, are loaded and configured. v2: same as PR 591 but with the fixup commit that addresses review comments is squashed. Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20240906103734.36633-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
---|---|---|
.github | ||
contrib | ||
debug | ||
dev-tools | ||
distro | ||
doc | ||
include | ||
m4 | ||
sample | ||
src | ||
tests | ||
.git-blame-ignore-revs | ||
.gitattributes | ||
.gitignore | ||
.mailmap | ||
.svncommitters | ||
AUTHORS | ||
ChangeLog | ||
Changes.rst | ||
CMakeLists.txt | ||
CMakePresets.json | ||
compat.m4 | ||
config.h.cmake.in | ||
configure.ac | ||
CONTRIBUTING.rst | ||
COPYING | ||
COPYRIGHT.GPL | ||
forked-test-driver | ||
INSTALL | ||
ltrc.inc | ||
Makefile.am | ||
NEWS | ||
PORTS | ||
README | ||
README.cmake.md | ||
README.dco.md | ||
README.ec | ||
README.mbedtls | ||
README.wolfssl | ||
renovate.json | ||
version.m4 |
OpenVPN -- A Secure tunneling daemon Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. ************************************************************************* To get the latest release of OpenVPN, go to: https://openvpn.net/community-downloads/ To Build and Install, tar -zxf openvpn-<version>.tar.gz cd openvpn-<version> ./configure make make install or see the file INSTALL for more info. For information on how to build OpenVPN on/for Windows with MinGW or MSVC see README.cmake.md. ************************************************************************* For detailed information on OpenVPN, including examples, see the man page http://openvpn.net/man.html For a sample VPN configuration, see http://openvpn.net/howto.html To report an issue, see https://github.com/OpenVPN/openvpn/issues/new (Note: We recently switched to GitHub for reporting new issues, old issues can be found at: https://community.openvpn.net/openvpn/report) For a description of OpenVPN's underlying protocol, see the file ssl.h included in the source distribution. ************************************************************************* Other Files & Directories: * configure.ac -- script to rebuild our configure script and makefile. * sample/sample-scripts/verify-cn A sample perl script which can be used with OpenVPN's --tls-verify option to provide a customized authentication test on embedded X509 certificate fields. * sample/sample-keys/ Sample RSA keys and certificates. DON'T USE THESE FILES FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. * sample/sample-config-files/ A collection of OpenVPN config files and scripts from the HOWTO at http://openvpn.net/howto.html ************************************************************************* Note that easy-rsa and tap-windows are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa https://github.com/OpenVPN/tap-windows6 Community-provided Windows installers (MSI) and Debian packages are built from https://github.com/OpenVPN/openvpn-build See the INSTALL file for usage information.