Core: handle external PKI signature requests for non-RSA_RAW

signature types internally in the core, so that individual
platforms only see RSA_RAW requests.

client/ovpncli.cpp

@@ -711,7 +711,7 @@ namespace openvpn {
     OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string& sig_type, const std::string& data, std::string& sig)
     {
       ExternalPKISignRequest req;
-      req.sig_type = sig_type;
+      req.sigType = sig_type;
       req.data = data;
       req.alias = state->external_pki_alias;
       external_pki_sign_request(req); // call out to derived class for RSA signature

client/ovpncli.hpp

@@ -311,7 +311,7 @@ namespace openvpn {
     // used to request an RSA signature
     struct ExternalPKISignRequest : public ExternalPKIRequestBase
     {
-      std::string sig_type; // signature type
+      std::string sigType; // signature type
       std::string data;  // data rendered as base64 (client reads)
       std::string sig;   // RSA signature, rendered as base64 (client writes)
     };

openvpn/pki/pkcs1.hpp

@@ -0,0 +1,40 @@
+//
+//  pkcs1.hpp
+//  OpenVPN
+//
+//  Copyright (c) 2014 OpenVPN Technologies, Inc. All rights reserved.
+//
+
+#ifndef OPENVPN_PKI_PKCS1_H
+#define OPENVPN_PKI_PKCS1_H
+
+namespace openvpn {
+  namespace PKCS1 {
+    // from http://www.ietf.org/rfc/rfc3447.txt
+    namespace DigestPrefix { // CONST GLOBAL
+      static const unsigned char MD2[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
+					   0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+					   0x02, 0x02, 0x05, 0x00, 0x04, 0x10 };
+      static const unsigned char MD5[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
+					   0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+					   0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
+      static const unsigned char SHA1[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+					    0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+					    0x00, 0x04, 0x14 };
+      static const unsigned char SHA256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+					      0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					      0x04, 0x02, 0x01, 0x05, 0x00, 0x04,
+					      0x20 };
+      static const unsigned char SHA384[] = { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
+					      0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					      0x04, 0x02, 0x02, 0x05, 0x00, 0x04,
+					      0x30 };
+      static const unsigned char SHA512[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+					      0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					      0x04, 0x02, 0x03, 0x05, 0x00, 0x04,
+					      0x40 };
+    }
+  }
+}
+
+#endif

openvpn/polarssl/ssl/sslctx.hpp

@@ -30,6 +30,7 @@
 #include <openvpn/buffer/buffer.hpp>
 #include <openvpn/pki/cclist.hpp>
 #include <openvpn/pki/epkibase.hpp>
+#include <openvpn/pki/pkcs1.hpp>
 #include <openvpn/ssl/kuparse.hpp>
 #include <openvpn/ssl/nscert.hpp>
 #include <openvpn/ssl/tlsver.hpp>
@@ -798,36 +799,36 @@ namespace openvpn {
       try {
 	if (mode == RSA_PRIVATE)
 	  {
-	    std::string sig_type;
+	    size_t digest_prefix_len = 0;
+	    const unsigned char *digest_prefix = NULL;
 
 	    /* get signature type */
 	    switch (hash_id) {
 	    case SIG_RSA_RAW:
-	      sig_type = "RSA_RAW";
 	      break;
 	    case SIG_RSA_MD2:
-	      sig_type = "RSA_MD2";
-	      break;
-	    case SIG_RSA_MD4:
-	      sig_type = "RSA_MD4";
+	      digest_prefix = PKCS1::DigestPrefix::MD2;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::MD2);
 	      break;
 	    case SIG_RSA_MD5:
-	      sig_type = "RSA_MD5";
+	      digest_prefix = PKCS1::DigestPrefix::MD5;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::MD5);
 	      break;
 	    case SIG_RSA_SHA1:
-	      sig_type = "RSA_SHA1";
-	      break;
-	    case SIG_RSA_SHA224:
-	      sig_type = "RSA_SHA224";
+	      digest_prefix = PKCS1::DigestPrefix::SHA1;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA1);
 	      break;
 	    case SIG_RSA_SHA256:
-	      sig_type = "RSA_SHA256";
+	      digest_prefix = PKCS1::DigestPrefix::SHA256;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA256);
 	      break;
 	    case SIG_RSA_SHA384:
-	      sig_type = "RSA_SHA384";
+	      digest_prefix = PKCS1::DigestPrefix::SHA384;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA384);
 	      break;
 	    case SIG_RSA_SHA512:
-	      sig_type = "RSA_SHA512";
+	      digest_prefix = PKCS1::DigestPrefix::SHA512;
+	      digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA512);
 	      break;
 	    default:
 	      OPENVPN_LOG_SSL("PolarSSLContext::epki_sign unrecognized hash_id, mode=" << mode
@@ -835,13 +836,18 @@ namespace openvpn {
 	      return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
 	    }
 
-	    /* convert 'hash' to base64 */
-	    ConstBuffer from_buf(hash, hashlen, true);
+	    /* concatenate digest prefix with hash */
+	    BufferAllocated from_buf(digest_prefix_len + hashlen, 0);
+	    if (digest_prefix_len)
+	      from_buf.write(digest_prefix, digest_prefix_len);
+	    from_buf.write(hash, hashlen);
+
+	    /* convert from_buf to base64 */
 	    const std::string from_b64 = base64->encode(from_buf);
 
 	    /* get signature */
 	    std::string sig_b64;
-	    const bool status = self->config.external_pki->sign(sig_type, from_b64, sig_b64);
+	    const bool status = self->config.external_pki->sign("RSA_RAW", from_b64, sig_b64);
 	    if (!status)
 	      throw polarssl_external_pki("could not obtain signature");