>
> So, it looks like running rsa_sign with a cert/key pair coming out of
> the cryptostore store is causing some low level openssl problems.
> Don't know how easy it is fix, but most likely it's not inside the
> OpenVPN code...
>
Pretty easy (for OpenSSL standards...). You have to use the lowlevel
functions instead of rsa_sign. See also
https://code.google.com/p/ics-openvpn/source/browse/main/jni/jbcrypto.cpp
Basically for ics-openvpn the change was to replace
RSA_sign(NID_md5_sha1, (unsigned char*) data, datalen,
sigret, &siglen, pkey->pkey.rsa) <= 0 )
with
siglen = RSA_private_encrypt(datalen,(unsigned char*)
data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING);
But I haven't looked at the OpenVPN source code yet which code path is
called there.
Arne
