@@ -90,9 +90,15 @@ server and client mode operations.
management-external-key
management-external-key nopadding
management-external-key pkcs1
+ management-external-key pss
+
+ or any combination like:
+ ::
+
management-external-key nopadding pkcs1
+ management-external-key pkcs1 pss
- The optional parameters :code:`nopadding` and :code:`pkcs1` signal
+ The optional parameters :code:`nopadding` :code:`pkcs1` and :code:`pss` signal
support for different padding algorithms. See
:code:`doc/mangement-notes.txt` for a complete description of this
feature.
@@ -1019,10 +1019,17 @@ can be indicated in the signing request only if the client version is > 2"
The currently defined padding algorithms are:
- - RSA_PKCS1_PADDING - PKCS1 padding and RSA signature
- - RSA_NO_PADDING - No padding may be added for the signature
- - ECDSA - EC signature.
-
+ - RSA_PKCS1_PADDING - PKCS1 padding and RSA signature
+ - RSA_NO_PADDING - No padding may be added for the signature
+ - ECDSA - EC signature.
+ - RSA_PKCS1_PSS_PADDING,params - RSA signature with PSS padding
+
+ params for PSS are specified as 'digest=name,saltlen=[max|digest|auto]'.
+ The digest names are short common names such as SHA256, SHA224, etc.
+ In the case of PKCS1, when the hash algorithm is not the legacy MD5-SHA1,
+ the digest is encoded with DigestInfo header before presening to the
+ management. This is identical to CKM_RSA_PKCS in cryptoki as well as
+ what RSA_sign() provides.
COMMAND -- certificate (OpenVPN 2.4 or higher)
----------------------------------------------
@@ -339,6 +339,7 @@ struct management *management_init(void);
#define MF_QUERY_REMOTE (1<<13)
#define MF_QUERY_PROXY (1<<14)
#define MF_EXTERNAL_CERT (1<<15)
+#define MF_EXTERNAL_KEY_PSSPAD (1<<16)
bool management_open(struct management *man,
const char *addr,
@@ -2213,7 +2213,8 @@ options_postprocess_verify_ce(const struct options *options,
#if defined(ENABLE_MANAGEMENT)
if ((tls_version_max() >= TLS_VER_1_3)
&& (options->management_flags & MF_EXTERNAL_KEY)
- && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
+ && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)
+ || options->management_flags & (MF_EXTERNAL_KEY_PSSPAD))
)
{
msg(M_ERR, "management-external-key with OpenSSL 1.1.1 requires "
@@ -5511,6 +5512,10 @@ add_option(struct options *options,
{
options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
}
+ else if (streq(p[j], "pss"))
+ {
+ options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
+ }
else
{
msg(msglevel, "Unknown management-external-key flag: %s", p[j]);