[Openvpn-devel,v2,3/3] Document management request >PK_SIGN and response pk-sig

Message ID 1516301916-11408-1-git-send-email-selva.nair@gmail.com
State Superseded
Headers show
Series
  • Untitled series #135
Related show

Commit Message

Selva Nair Jan. 18, 2018, 6:58 p.m.
From: Selva Nair <selva.nair@gmail.com>

v2: Commands renamed to >PK_SIGN and pk-sig

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
Well, the previous version has been acked, but obviously that
patch is obsolete now.


 doc/management-notes.txt | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

Patch

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index a9ba18a..064e335 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -795,6 +795,43 @@  Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign()
 This capability is intended to allow the use of arbitrary cryptographic
 service providers with OpenVPN via the management interface.
 
+COMMAND -- pk-sig (OpenVPN 2.5 or higher)
+------------------------------------------
+Provides support for external storage of the private key. Requires the
+--management-external-key option. This option can be used instead of "key"
+in client mode, and allows the client to run without the need to load the
+actual private key. When the SSL protocol needs to perform a sign
+operation, the data to be signed will be sent to the management interface
+via a notification as follows:
+
+>PK_SIGN:[BASE64_DATA]
+
+The management interface client should then create an appropriate signature of
+the (decoded) BASE64_DATA using the private key and return the SSL signature as
+follows:
+
+pk-sig
+[BASE64_SIG_LINE]
+.
+.
+.
+END
+
+RSA signatures (for RSA keys) and and ECDSA signatures (for EC keys) are
+supported. For EC keys openssl 1.1 or higher is required.
+
+Base64 encoded output of RSA_private_encrypt for RSA or ECDSA_sign() for EC
+using OpenSSL or mbedtls_pk_sign() using mbed TLS will provide a correct
+signature.
+
+This capability is intended to allow the use of arbitrary cryptographic service
+providers with OpenVPN via the management interface.
+
+Currently RSA signature is challenged for by '>RSA_SIGN', but eventually
+'>PK_SIGN' prompt will be used for all signature types. New management clients
+should be prepared to respond to '>PK_SIGN' with 'pk-sig' followed by the
+appropriate signature.
+
 COMMAND -- certificate (OpenVPN 2.4 or higher)
 ----------------------------------------------
 Provides support for external storage of the certificate. Requires the