Shill throws 'InvalidProperty' error when setting OpenVPN.Pkcs11.Slot |
|||
Issue descriptionshill/dbus-constants.h includes: const char kOpenVPNClientCertSlotProperty[] = "OpenVPN.Pkcs11.Slot"; However if we set it Shill throws an InvalidProperty error. We should remove it from the header. Also, EAP.CertID uses the format tpm_slot:pkcs11Id (which is not documented in service-api.txt). Should OpenVPN.Pkcs11.ID use the same format? VPNs using L2TP-IPsec specify slot explicitly using L2TPIPsec.ClientCertSlot.
,
Sep 28 2017
stevenjb: seems like you added the constant :) https://chromium-review.googlesource.com/c/chromiumos/platform/system_api/+/7293 "OpenVPN.Pkcs11.Slot" is never used in shill according to git history. It isn't referenced in the shill api doc either. Perhaps we wanted to make openvpn handles pkcs11 cert like l2tp/ipsec vpn, or perhaps it's a flimflam legacy. Either way, removing it from service-api sgtm: https://chromium-review.googlesource.com/c/chromiumos/platform/system_api/+/688822
,
Sep 28 2017
We should really update the api doc to explain how Shill handles the TPM slot for OpenVPN. Does anyone know for sure whether it even works?
,
Sep 28 2017
I believe cernekee would have more recent experience with openvpn and provide more insight. Otherwise, we would need to dig through the code
,
Sep 28 2017
,
Sep 28 2017
Corp OpenVPN uses the PKCS11 properties because it relies on a hardware-backed key. The autotests exercise the openvpn-with-cert configuration as well.
,
Sep 28 2017
Re #6: That uses OpenVPN.Pkcs11.ID, but not OpenVPN.Pkcs11.Slot, right?
,
Jan 15
|
|||
►
Sign in to add a comment |
|||
Comment 1 by steve...@chromium.org
, Sep 28 2017