Browse code
Refuse mbed TLS external key with non RSA certificates
The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.
Instead fail early and provide a clear message that only RSA keys are
supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe authored on 2018/10/09 06:41:23Showing 1 changed files
| ... | ... |
@@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, |
| 604 | 604 |
return 1; |
| 605 | 605 |
} |
| 606 | 606 |
|
| 607 |
+ if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA) |
|
| 608 |
+ {
|
|
| 609 |
+ msg(M_WARN, "ERROR: external key with mbed TLS requires a " |
|
| 610 |
+ "certificate with an RSA key."); |
|
| 611 |
+ return 1; |
|
| 612 |
+ } |
|
| 613 |
+ |
|
| 607 | 614 |
ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk); |
| 608 | 615 |
ctx->external_key.sign = sign_func; |
| 609 | 616 |
ctx->external_key.sign_ctx = sign_ctx; |