Hi Arne, On Fri, Sep 24, 2021 at 8:48 AM Selva Nair <selva.n...@gmail.com> wrote:
> Hi, > > On Fri, Sep 24, 2021 at 7:13 AM Arne Schwabe <a...@rfc2549.org> wrote: > >> Am 24.09.21 um 00:54 schrieb Selva Nair: >> > Hi, >> > >> > >> > from the management interface. But I haven't found the right >> > Signature >> > method from java yet to actually sign it correctly: >> > >> > sig = Signature.getInstance(SHA256withRSA/PSS); >> > >> > >> > SHA256withRSA/PSS may be trying to first do Sha256 digest of the data >> > and then pad and sign. Instead try this: "NonewithRSASSA-PSS" or >> > "NonewithRSA/PSS" >> >> Yeah, That *would* be the correct algorithm for that. Unfortunately the >> Android Keystore does not support that one >> ( >> https://developer.android.com/training/articles/keystore#SupportedSignatures >> ) >> > > We can treat management-external key as special and optionally provide the > digest to sign. OpenSSL 3.0 with provider always seem to call DigestSign > and never Sign directly so we have the info. > Turns out to be easier than I thought. I have added a patch to optionally send the undigested message to the management client. Indicate support for digesting operation in --management-external-key and you get the message to sign with data=message See the commit message. It's in https://github.com/selvanair/openvpn/tree/xkey-provider-v3 (only compile tested). Selva PS. I'm supposed to be holidaying, but basking in LCD glow instead of sun..
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
