ChromeOS: Add more host verification options for OpenVpn.

components/onc/docs/onc_spec.html

Index: components/onc/docs/onc_spec.html
diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html
index 0fe230b428addadf3e2f05e49a7360a46fdcacdb..3c843c03954011398fdb2c08938ff21686fb36a1 100644
--- a/components/onc/docs/onc_spec.html
+++ b/components/onc/docs/onc_spec.html
@@ -1194,7 +1194,50 @@
       </span>
       Verbosity level, defaults to openvpn default if not specified.
     </dd>
+
+    <dt class="field">VerifyHash</dt>
+    <dd>
+      <span class="field_meta">
+        (optional)
+        <span class="type">string</span>
+      </span>
+      If set, this value is passed as the "--verify-hash" argument to OpenVPN,
+      which specifies the SHA1 fingerprint for level-1 certificate.

[bartfab (slow), 2013/11/07 10:48:56]

Nit: s/for/for the/

[pneubeck (no reviews), 2013/11/11 11:53:43]

Done.

+    </dd>
+
+    <dt class="field">VerifyX509</dt>
+    <dd>
+      <span class="field_meta">
+        (optional)
+        <span class="type">VerifyX509</span>
+      </span>
+       If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name.
+    </dd>
+  </dl>
+
+  <p>
+    <span class="type">VerifyX509</span> type contains the following:
+  </p>
+  <dl class="field_list">
+    <dt class="field">Name</dt>
+    <dd>
+      <span class="field_meta">
+        (required)
+        <span class="type">string</span>
+      </span>
+      The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>.
+    </dd>
+
+    <dt class="field">Type</dt>
+    <dd>
+      <span class="field_meta">
+        (required)

[Paul Stewart, 2013/11/06 14:22:20]

The type value is not required in either shill or OpenVPN.  It's up to you
whether you wish to impose a requirement here.  I don't know what this means for
the behavior of potential ".ovpn" to ONC translators.

[pneubeck (no reviews), 2013/11/06 14:50:42]

Ah. I see. I initially thought it unusual if there would be a command line
argument with a variable number of parameters. But you seem to be right.

I think, I'll change the requirement to "optional" and default to 'subject' as
currently described in the OpenVPN manpage.

Did you read the section "Which RDN is verified as name, depends on the
--x509-username-field option."
Does it even make sense to allow the selection of type=name or type=name-prefix
if "--x509-username-field" cannot be set? (the default is matching CN)

[Paul Stewart, 2013/11/06 15:55:38]

I've read that section.  The CN is the most reasonable RDN to match against. 
"type=name" and "type=name-prefix" have a completely different behavior than
"subject", so I think all three options are expressive.  I'm agnostic to whether
you supply the "subject" value for the name option or leave it to OpenVPN to
perform its default behavior.

+        <span class="type">string</span>
+      </span>
+      Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value.
+    </dd>
   </dl>
+
 </section>
 
 </section>