priceaj / onc-creator Goto Github PK

TLS-Auth certs are currently interpreted as a certificate due to it's tagged nature, however the ONC spec has them as part of the network configuration.

https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub#h.oimioyixntt3 advises:

TLS_AUTH_KEY: This one is the TLS auth key, but there is a catch.
We need to remove the comment lines, but DO need to include the header and footer lines “-----BEGIN >OpenVPN Static Key V1-----” and the footer line “-----END OpenVPN Static Key V1-----”, but we replace >all the newlines with literal “\n” characters. This is not documented, but can be seen in the test cases for >the ChromeOS VPN support.

You can do this with this shell command:
grep -v '#' ta-demo.key | perl -p -e 's/\n/\\n/' -

OVPN files can hold certificates either inline or externally. Inline file support is already implemented, but if an external file is specified, the app should display the cert window and allow an upload of the cert.

Generally OpenVPN uses three certificate files for a connection:

https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN

The files you need to copy out from a CA are just 3 files for each client and server.
Private key (often a .key or .pem file)
Certificate (often a .crt or .pem file)
CA certificate (also a .crt or .pem file)"

The ONC format doesnt seem to support this configuration as it supports only a single client certificate. so currently the onc files produced by the app do not allow a connection to an OpenVPN server (despite being processed into a valid onc which can be imported into chromeOS)

To resolve this issue:

https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub

Advises that

ChromeOS needs the pkcs12 format key, you can generate that from the separate files created by the >“build-key” script, or you can use the build-key-pkcs12 script directly to save time.
If you have already generated the separate ca.crt, client.crt and client.key files, no problem, you can >generate the pkcs bundle like this:

openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name MyClient -out client.p12

since OVPN files generally contain <cert> and <key> tags we need to parse these into pkcs12 using JS

https://github.com/digitalbazaar/forge/blob/master/js/pkcs12.js

Does this in p12.toPkcs12Asn1

So this will need to be implemented, and possibly replace the CryptoJS usage throughout the script