Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not
only request MD5-SHA1 'TLS signatures', but also other variants.
Document this by updating the implementation hints, and explicitly
stating that we expect a PKCS#1 1.5 signature.
Trac: #764
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1482705505-20302-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13714.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -773,8 +773,9 @@ via a notification as follows: |
773 | 773 |
|
774 | 774 |
>RSA_SIGN:[BASE64_DATA] |
775 | 775 |
|
776 |
-The management interface client should then sign BASE64_DATA |
|
777 |
-using the private key and return the SSL signature as follows: |
|
776 |
+The management interface client should then create a PKCS#1 v1.5 signature of |
|
777 |
+the (decoded) BASE64_DATA using the private key and return the SSL signature as |
|
778 |
+follows: |
|
778 | 779 |
|
779 | 780 |
rsa-sig |
780 | 781 |
[BASE64_SIG_LINE] |
... | ... |
@@ -783,8 +784,8 @@ rsa-sig |
783 | 783 |
. |
784 | 784 |
END |
785 | 785 |
|
786 |
-Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a |
|
787 |
-correct signature. |
|
786 |
+Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() |
|
787 |
+(mbed TLS) will provide a correct signature. |
|
788 | 788 |
|
789 | 789 |
This capability is intended to allow the use of arbitrary cryptographic |
790 | 790 |
service providers with OpenVPN via the management interface. |