diff options
author | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-16 13:08:13 +0000 |
---|---|---|
committer | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-16 13:08:13 +0000 |
commit | 7f123d2a3dc472dd796c13e2d7d599446fe9831d (patch) | |
tree | 6f3ead0503ad43e7d88db6d130ae4b65f89bf5a4 /components/onc/docs | |
parent | ff39e9b81c8619d19a318a8d97d0bac552d455b4 (diff) | |
download | chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.zip chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.gz chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.bz2 |
ONC: Allow multiple CA certificates.
So far only a single CA certificate was supported for EAP/IPsec/OpenVPN. Instead, we now support multiple CA certs. These are provided as a list of GUID references to CA certificates in the toplevel "Certificates" section.
BUG=276291
R=armansito@chromium.org, davidroche@chromium.org
Review URL: https://codereview.chromium.org/68343010
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240874 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'components/onc/docs')
-rw-r--r-- | components/onc/docs/onc_spec.html | 72 |
1 files changed, 59 insertions, 13 deletions
diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html index 709ca0f..10b2f0f 100644 --- a/components/onc/docs/onc_spec.html +++ b/components/onc/docs/onc_spec.html @@ -658,7 +658,7 @@ <span class="rule"> <span class="rule_id"></span> Allowed values are <span class="value">PSK</span> and - <span class="value">Cert</span> + <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set. </span> </dd> @@ -749,14 +749,25 @@ (PSK) each time they connect. </dd> + <dt class="field">ServerCARefs</dt> + <dd> + <span class="field_meta"> + (optional if <span class="field">AuthenticationType</span> + is <span class="value">Cert</span>, otherwise rejected) + <span class="type">array of string</span> + </span> + Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. + </dd> + <dt class="field">ServerCARef</dt> <dd> <span class="field_meta"> - (required if <span class="field">AuthenticationType</span> + (optional if <span class="field">AuthenticationType</span> is <span class="value">Cert</span>, otherwise rejected) <span class="type">string</span> </span> - Reference to server certificate authority stored in certificate section. + DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> + Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset. </dd> <dt class="field">XAUTH</dt> @@ -771,6 +782,16 @@ </dd> </dl> + <p class="rule"> + <span class="rule_id"></span> + If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set. + </p> + + <p class="rule"> + <span class="rule_id"></span> + At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. + </p> + <p> <span class="type">L2TP</span> type contains the following: </p> @@ -1108,14 +1129,23 @@ each time they connect. </dd> + <dt class="field">ServerCARefs</dt> + <dd> + <span class="field_meta"> + (optional) + <span class="type">array of string</span> + </span> + Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset. + </dd> + <dt class="field">ServerCARef</dt> <dd> <span class="field_meta"> (optional) <span class="type">string</span> </span> - Reference to a certificate. Certificate authority to use for verifying - connection. + DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> + Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset. </dd> <dt class="field">ServerCertRef</dt> @@ -1215,6 +1245,11 @@ </dd> </dl> + <p class="rule"> + <span class="rule_id"></span> + At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. + </p> + <p> <span class="type">VerifyX509</span> type contains the following: </p> @@ -1618,16 +1653,23 @@ <span class="value">false</span> is not allowed. </dd> + <dt class="field">ServerCARefs</dt> + <dd> + <span class="field_meta"> + (optional) + <span class="type">array of string</span> + </span> + Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this. + </dd> + <dt class="field">ServerCARef</dt> <dd> <span class="field_meta"> (optional) <span class="type">string</span> </span> - Reference to server certificate authority stored in certificate - section. If not specified, client does not check the server certificate is - signed by a specific CA. It will still check the server CA - if <span class="field">UseSystemCAs</span> is set. + DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> + Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this. </dd> <dt class="field">UseSystemCAs</dt> @@ -1637,15 +1679,19 @@ <span class="type">boolean</span> </span> Required server certificate to be signed by "system default certificate - authorities". If both <span class="field">ServerCARef</span> + authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>) and <span class="field">UseSystemCAs</span> are supplied, a server certificate will be allowed if it either has a chain of trust to a system - CA or to the given server CA. If <span class="field">UseSystemCAs</span> - is <span class="value">false</span>, and - no <span class="field">ServerCARef</span> is set, then the certificate + CA or to one of the given CA certificates. If <span class="field">UseSystemCAs</span> + is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate must be a self signed certificate, and no CA signature is required. </dd> </dl> + + <p class="rule"> + <span class="rule_id"></span> + At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. + </p> </section> <section> |