Hi,
> On Tue, Jan 16, 2018 at 5:40 PM, Arne Schwabe <[email protected]> wrote:
>> Am 14.01.18 um 20:44 schrieb [email protected]:
>>> From: Selva Nair <[email protected]>
>>>
>>> - This automatically supports EC certificates through
>>> --management-external-cert
>>> - EC signature request from management has the same format
>>> as for rsa with >RSA_SIGN replaced by >ECDSA_SIGN
>>> Response should be of the form 'ecdsa-sig' followed
>>> by DER encoded signature as base64 followed by 'END'
>>>
>>
snipped..
>>
>>> static void
>>> +man_ecdsa_sig(struct management *man)
>>> +{
>>> + struct man_connection *mc = &man->connection;
>>> + if (mc->ext_key_state == EKS_SOLICIT)
>>> + {
>>> + mc->ext_key_state = EKS_INPUT;
>>> + mc->in_extra_cmd = IEC_ECDSA_SIGN;
>>> + in_extra_reset(mc, IER_NEW);
>>> + }
>>> + else
>>> + {
>>> + msg(M_CLIENT, "ERROR: The ecdsa-sig command is not currently
>>> available");
>>> + }
>>> +}
>>> +
>>
>> This function is almost identical to man_rsa_sign. I would like to have
>> them both combined into one and then called by man_ecdsa_sig/man_rsa_sig.
Refactored code that addresses this and other suggestions is here
https://github.com/selvanair/openvpn/commits/external-ec-cert
(last 3 commits left unsquashed for now).
Will send in v2 after testing and squashing but comments welcome.
Regarding amending --management-external-cert command, better to
address it separately, so not handled here.
Also I'm toying with the idea of renaming ecdsa-sig/ECDSA-SIGN by
pkey-sig/PKEY-SIGN so that eventually we may be able to use it for
all types of keys and retire rsa-sig. Any thoughts on that?
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
