Re: [Openvpn-devel] [PATCH 3/3] Document management request >ECDSA_SIGN and response ecdsa-sig

Tue, 16 Jan 2018 14:41:18 -0800 

Am 14.01.18 um 20:44 schrieb selva.n...@gmail.com:
> From: Selva Nair <selva.n...@gmail.com>
> 
> Signed-off-by: Selva Nair <selva.n...@gmail.com>
> ---
>  doc/management-notes.txt | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/doc/management-notes.txt b/doc/management-notes.txt
> index a9ba18a..e2e8249 100644
> --- a/doc/management-notes.txt
> +++ b/doc/management-notes.txt
> @@ -795,6 +795,36 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) 
> or mbedtls_pk_sign()
>  This capability is intended to allow the use of arbitrary cryptographic
>  service providers with OpenVPN via the management interface.
>  
> +COMMAND -- ecdsa-sig (OpenVPN 2.5 or higher)
> +------------------------------------------
> +Same as rsa-sig but for EC keys: requires openssl 1.1
> +
> +Provides support for external storage of the EC private key. Requires the
> +--management-external-key option. This option can be used instead of "key"
> +in client mode, and allows the client to run without the need to load the
> +actual private key. When the SSL protocol needs to perform a sign
> +operation, the data to be signed will be sent to the management interface
> +via a notification as follows:
> +
> +>ECDSA_SIGN:[BASE64_DATA]
> +
> +The management interface client should then create a DER encoded signature of
> +the (decoded) BASE64_DATA using the private key and return the SSL signature 
> as
> +follows:
> +
> +ecdsa-sig
> +[BASE64_SIG_LINE]
> +.
> +.
> +.
> +END
> +
> +Base64 encoded output of ECDSA_sign() (OpenSSL) or mbedtls_pk_sign()
> +(mbed TLS) will provide a correct signature.
> +

Signature.getInstance("NONEwithECDSA") worked for me in Java for this.
Any other signature algorithm did _NOT_ work e.g. SHA384withECDSA. I
think ecdsa-sign might already provided a hash to sign.

On the other hand mbedtls documentation states:

   For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. For
   ECDSA md_alg may never be MBEDTLS_MD_NONE.

So this interface might not work with mbedtls.

Arne

Acked-By: Arne Schwabe



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to