Browse code
Document that RSA_SIGN can also request TLS 1.2 signatures
Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not
only request MD5-SHA1 'TLS signatures', but also other variants.
Document this by updating the implementation hints, and explicitly
stating that we expect a PKCS#1 1.5 signature.
Trac: #764
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1482705505-20302-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13714.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2016/12/26 07:38:25Showing 1 changed files
| ... | ... |
@@ -773,8 +773,9 @@ via a notification as follows: |
| 773 | 773 |
|
| 774 | 774 |
>RSA_SIGN:[BASE64_DATA] |
| 775 | 775 |
|
| 776 |
-The management interface client should then sign BASE64_DATA |
|
| 777 |
-using the private key and return the SSL signature as follows: |
|
| 776 |
+The management interface client should then create a PKCS#1 v1.5 signature of |
|
| 777 |
+the (decoded) BASE64_DATA using the private key and return the SSL signature as |
|
| 778 |
+follows: |
|
| 778 | 779 |
|
| 779 | 780 |
rsa-sig |
| 780 | 781 |
[BASE64_SIG_LINE] |
| ... | ... |
@@ -783,8 +784,8 @@ rsa-sig |
| 783 | 783 |
. |
| 784 | 784 |
END |
| 785 | 785 |
|
| 786 |
-Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a |
|
| 787 |
-correct signature. |
|
| 786 |
+Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() |
|
| 787 |
+(mbed TLS) will provide a correct signature. |
|
| 788 | 788 |
|
| 789 | 789 |
This capability is intended to allow the use of arbitrary cryptographic |
| 790 | 790 |
service providers with OpenVPN via the management interface. |