mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 04:02:15 +02:00
Core: handle external PKI signature requests for non-RSA_RAW
signature types internally in the core, so that individual platforms only see RSA_RAW requests.
This commit is contained in:
parent
6d0eec38ee
commit
cd5d7bc1e9
@ -711,7 +711,7 @@ namespace openvpn {
|
||||
OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string& sig_type, const std::string& data, std::string& sig)
|
||||
{
|
||||
ExternalPKISignRequest req;
|
||||
req.sig_type = sig_type;
|
||||
req.sigType = sig_type;
|
||||
req.data = data;
|
||||
req.alias = state->external_pki_alias;
|
||||
external_pki_sign_request(req); // call out to derived class for RSA signature
|
||||
|
@ -311,7 +311,7 @@ namespace openvpn {
|
||||
// used to request an RSA signature
|
||||
struct ExternalPKISignRequest : public ExternalPKIRequestBase
|
||||
{
|
||||
std::string sig_type; // signature type
|
||||
std::string sigType; // signature type
|
||||
std::string data; // data rendered as base64 (client reads)
|
||||
std::string sig; // RSA signature, rendered as base64 (client writes)
|
||||
};
|
||||
|
40
openvpn/pki/pkcs1.hpp
Normal file
40
openvpn/pki/pkcs1.hpp
Normal file
@ -0,0 +1,40 @@
|
||||
//
|
||||
// pkcs1.hpp
|
||||
// OpenVPN
|
||||
//
|
||||
// Copyright (c) 2014 OpenVPN Technologies, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#ifndef OPENVPN_PKI_PKCS1_H
|
||||
#define OPENVPN_PKI_PKCS1_H
|
||||
|
||||
namespace openvpn {
|
||||
namespace PKCS1 {
|
||||
// from http://www.ietf.org/rfc/rfc3447.txt
|
||||
namespace DigestPrefix { // CONST GLOBAL
|
||||
static const unsigned char MD2[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
|
||||
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
|
||||
0x02, 0x02, 0x05, 0x00, 0x04, 0x10 };
|
||||
static const unsigned char MD5[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
|
||||
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
|
||||
0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
|
||||
static const unsigned char SHA1[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
|
||||
0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
|
||||
0x00, 0x04, 0x14 };
|
||||
static const unsigned char SHA256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
|
||||
0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
|
||||
0x04, 0x02, 0x01, 0x05, 0x00, 0x04,
|
||||
0x20 };
|
||||
static const unsigned char SHA384[] = { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
|
||||
0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
|
||||
0x04, 0x02, 0x02, 0x05, 0x00, 0x04,
|
||||
0x30 };
|
||||
static const unsigned char SHA512[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
|
||||
0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
|
||||
0x04, 0x02, 0x03, 0x05, 0x00, 0x04,
|
||||
0x40 };
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
@ -30,6 +30,7 @@
|
||||
#include <openvpn/buffer/buffer.hpp>
|
||||
#include <openvpn/pki/cclist.hpp>
|
||||
#include <openvpn/pki/epkibase.hpp>
|
||||
#include <openvpn/pki/pkcs1.hpp>
|
||||
#include <openvpn/ssl/kuparse.hpp>
|
||||
#include <openvpn/ssl/nscert.hpp>
|
||||
#include <openvpn/ssl/tlsver.hpp>
|
||||
@ -798,36 +799,36 @@ namespace openvpn {
|
||||
try {
|
||||
if (mode == RSA_PRIVATE)
|
||||
{
|
||||
std::string sig_type;
|
||||
size_t digest_prefix_len = 0;
|
||||
const unsigned char *digest_prefix = NULL;
|
||||
|
||||
/* get signature type */
|
||||
switch (hash_id) {
|
||||
case SIG_RSA_RAW:
|
||||
sig_type = "RSA_RAW";
|
||||
break;
|
||||
case SIG_RSA_MD2:
|
||||
sig_type = "RSA_MD2";
|
||||
break;
|
||||
case SIG_RSA_MD4:
|
||||
sig_type = "RSA_MD4";
|
||||
digest_prefix = PKCS1::DigestPrefix::MD2;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::MD2);
|
||||
break;
|
||||
case SIG_RSA_MD5:
|
||||
sig_type = "RSA_MD5";
|
||||
digest_prefix = PKCS1::DigestPrefix::MD5;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::MD5);
|
||||
break;
|
||||
case SIG_RSA_SHA1:
|
||||
sig_type = "RSA_SHA1";
|
||||
break;
|
||||
case SIG_RSA_SHA224:
|
||||
sig_type = "RSA_SHA224";
|
||||
digest_prefix = PKCS1::DigestPrefix::SHA1;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA1);
|
||||
break;
|
||||
case SIG_RSA_SHA256:
|
||||
sig_type = "RSA_SHA256";
|
||||
digest_prefix = PKCS1::DigestPrefix::SHA256;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA256);
|
||||
break;
|
||||
case SIG_RSA_SHA384:
|
||||
sig_type = "RSA_SHA384";
|
||||
digest_prefix = PKCS1::DigestPrefix::SHA384;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA384);
|
||||
break;
|
||||
case SIG_RSA_SHA512:
|
||||
sig_type = "RSA_SHA512";
|
||||
digest_prefix = PKCS1::DigestPrefix::SHA512;
|
||||
digest_prefix_len = sizeof(PKCS1::DigestPrefix::SHA512);
|
||||
break;
|
||||
default:
|
||||
OPENVPN_LOG_SSL("PolarSSLContext::epki_sign unrecognized hash_id, mode=" << mode
|
||||
@ -835,13 +836,18 @@ namespace openvpn {
|
||||
return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
/* convert 'hash' to base64 */
|
||||
ConstBuffer from_buf(hash, hashlen, true);
|
||||
/* concatenate digest prefix with hash */
|
||||
BufferAllocated from_buf(digest_prefix_len + hashlen, 0);
|
||||
if (digest_prefix_len)
|
||||
from_buf.write(digest_prefix, digest_prefix_len);
|
||||
from_buf.write(hash, hashlen);
|
||||
|
||||
/* convert from_buf to base64 */
|
||||
const std::string from_b64 = base64->encode(from_buf);
|
||||
|
||||
/* get signature */
|
||||
std::string sig_b64;
|
||||
const bool status = self->config.external_pki->sign(sig_type, from_b64, sig_b64);
|
||||
const bool status = self->config.external_pki->sign("RSA_RAW", from_b64, sig_b64);
|
||||
if (!status)
|
||||
throw polarssl_external_pki("could not obtain signature");
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user