Core API change: External PKI sign requests now specify a signature

type string (sig_type) such as "RSA_RAW" or "RSA_SHA256". iOS plugin has been modified to support sig_type as well.
nikolalukovic · Dec 31, 2013 · 4e1279f · 4e1279f
1 parent baca5e0
commit 4e1279f
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 5 deletions.
diff --git a/client/ovpncli.cpp b/client/ovpncli.cpp
@@ -705,9 +705,10 @@ namespace openvpn {
 	}
     }
 
-    OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string& data, std::string& sig)
+    OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string& sig_type, const std::string& data, std::string& sig)
     {
       ExternalPKISignRequest req;
+      req.sig_type = sig_type;
       req.data = data;
       req.alias = state->external_pki_alias;
       external_pki_sign_request(req); // call out to derived class for RSA signature

diff --git a/client/ovpncli.hpp b/client/ovpncli.hpp
@@ -302,6 +302,7 @@ namespace openvpn {
     // used to request an RSA signature
     struct ExternalPKISignRequest : public ExternalPKIRequestBase
     {
+      std::string sig_type; // signature type
       std::string data;  // data rendered as base64 (client reads)
       std::string sig;   // RSA signature, rendered as base64 (client writes)
     };
@@ -439,7 +440,7 @@ namespace openvpn {
       static MergeConfig build_merge_config(const ProfileMerge&);
 
       // from ExternalPKIBase
-      virtual bool sign(const std::string& data, std::string& sig);
+      virtual bool sign(const std::string& sig_type, const std::string& data, std::string& sig);
 
       // disable copy and assignment
       OpenVPNClient(const OpenVPNClient&);

diff --git a/openvpn/pki/epkibase.hpp b/openvpn/pki/epkibase.hpp
@@ -19,7 +19,7 @@ namespace openvpn {
   public:
     // Sign data (base64) and return signature as sig (base64).
     // Return true on success or false on error.
-    virtual bool sign(const std::string& data, std::string& sig) = 0;
+    virtual bool sign(const std::string& sig_type, const std::string& data, std::string& sig) = 0;
   };
 }
 

diff --git a/openvpn/polarssl/ssl/sslctx.hpp b/openvpn/polarssl/ssl/sslctx.hpp
@@ -796,15 +796,52 @@ namespace openvpn {
     {
       PolarSSLContext *self = (PolarSSLContext *) arg;
       try {
-	if (mode == RSA_PRIVATE && hash_id == SIG_RSA_RAW)
+	if (mode == RSA_PRIVATE)
 	  {
+	    std::string sig_type;
+
+	    /* get signature type */
+	    switch (hash_id) {
+	    case SIG_RSA_RAW:
+	      sig_type = "RSA_RAW";
+	      break;
+	    case SIG_RSA_MD2:
+	      sig_type = "RSA_MD2";
+	      break;
+	    case SIG_RSA_MD4:
+	      sig_type = "RSA_MD4";
+	      break;
+	    case SIG_RSA_MD5:
+	      sig_type = "RSA_MD5";
+	      break;
+	    case SIG_RSA_SHA1:
+	      sig_type = "RSA_SHA1";
+	      break;
+	    case SIG_RSA_SHA224:
+	      sig_type = "RSA_SHA224";
+	      break;
+	    case SIG_RSA_SHA256:
+	      sig_type = "RSA_SHA256";
+	      break;
+	    case SIG_RSA_SHA384:
+	      sig_type = "RSA_SHA384";
+	      break;
+	    case SIG_RSA_SHA512:
+	      sig_type = "RSA_SHA512";
+	      break;
+	    default:
+	      OPENVPN_LOG_SSL("PolarSSLContext::epki_sign unrecognized hash_id, mode=" << mode
+			      << " hash_id=" << hash_id << " hashlen=" << hashlen);
+	      return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
+	    }
+
 	    /* convert 'hash' to base64 */
 	    ConstBuffer from_buf(hash, hashlen, true);
 	    const std::string from_b64 = base64->encode(from_buf);
 
 	    /* get signature */
 	    std::string sig_b64;
-	    const bool status = self->config.external_pki->sign(from_b64, sig_b64);
+	    const bool status = self->config.external_pki->sign(sig_type, from_b64, sig_b64);
 	    if (!status)
 	      throw polarssl_external_pki("could not obtain signature");