The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.
Instead fail early and provide a clear message that only RSA keys are
supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, |
604 | 604 |
return 1; |
605 | 605 |
} |
606 | 606 |
|
607 |
+ if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA) |
|
608 |
+ { |
|
609 |
+ msg(M_WARN, "ERROR: external key with mbed TLS requires a " |
|
610 |
+ "certificate with an RSA key."); |
|
611 |
+ return 1; |
|
612 |
+ } |
|
613 |
+ |
|
607 | 614 |
ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk); |
608 | 615 |
ctx->external_key.sign = sign_func; |
609 | 616 |
ctx->external_key.sign_ctx = sign_ctx; |