Hi, On Fri, Sep 24, 2021 at 7:13 AM Arne Schwabe <a...@rfc2549.org> wrote:
> Am 24.09.21 um 00:54 schrieb Selva Nair: > > Hi, > > > > > > from the management interface. But I haven't found the right > > Signature > > method from java yet to actually sign it correctly: > > > > sig = Signature.getInstance(SHA256withRSA/PSS); > > > > > > SHA256withRSA/PSS may be trying to first do Sha256 digest of the data > > and then pad and sign. Instead try this: "NonewithRSASSA-PSS" or > > "NonewithRSA/PSS" > > Yeah, That *would* be the correct algorithm for that. Unfortunately the > Android Keystore does not support that one > ( > https://developer.android.com/training/articles/keystore#SupportedSignatures > ) > We can treat management-external key as special and optionally provide the digest to sign. OpenSSL 3.0 with provider always seem to call DigestSign and never Sign directly so we have the info. I already have key->origin indication which was originally meant to distinguish between various external libraries -- in the end I simplified that a bit. So its easy to treat management external key differently from other external keys. So for management it would a digest_sign callback if "--management-external-key digest" is specified, or some such. Harder part would be to get access to options->management_flags into xkey_helper.c -- I have tried to keep a max separation between it and the core and would like to keep it that way. Or make another ifdef for ANDROID... ahem.. I'll look into it. Probably your app is the only --management-external-key "consumer" out there. We can even change the spec of PK_SIG and no one will notice.. Manually adding the RSA/PSS padding and then signing with > "RSA/ECB/NoPadding" like I did in OpenSSL 1.1 days works. But I would > like to avoid implementing RSA/PSS myself but the crypto libraries seem > not be helpful in providing an implementation for that. > Yeah, that's not good. > But on the plus side, using that workaround the external key provider > works with EC and RSA on Android. > Great! Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
