mbox

[Openvpn-devel,0/3] Support external EC cert/key using --management-external-xxx

Message ID 1515959073-10376-1-git-send-email-selva.nair@gmail.com
Headers show

Message

Selva Nair Jan. 14, 2018, 8:44 a.m. UTC
From: Selva Nair <selva.nair@gmail.com>

Hi,

For now this is only for openssl 1.1.0+. With some ifdefs and compat functions
could be back ported to 1.0.2. 

For 1.0.1 hacks like duplicating internal ECDSA_METHOD struct or linking
to internal headers appears to be required. Not interesting unless there is a
strong demand.

For mbedtls I've no idea how to hook into the ecdsa signing methods.

Tested on linux/openssl-1.1.0g by manually passing the signature to
management, with signature generated on command line by
'echo $rsa_sig_cut_n_paste | base64 -d | openssl pkeyutl -inkey keyfile | base64'

Doing something similar for cryptoapicert is in the works (actually that was the
objective, but this was obviously easier to test, lather, rinse)

Selva

Selva Nair (3):
  Refactor ssl_openssl.c in prep for external EC key support
  Allow external EC key through --management-external-key
  Document management request >ECDSA_SIGN and response ecdsa-sig

 doc/management-notes.txt  |  30 ++++++
 src/openvpn/manage.c      |  30 ++++++
 src/openvpn/manage.h      |   3 +
 src/openvpn/ssl_openssl.c | 234 +++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 273 insertions(+), 24 deletions(-)