Document that RSA_SIGN can also request TLS 1.2 signatures

Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not
only request MD5-SHA1 'TLS signatures', but also other variants.
Document this by updating the implementation hints, and explicitly
stating that we expect a PKCS#1 1.5 signature.

Trac: #764
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1482705505-20302-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13714.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 1e36b814073c0f56c77e4922cc105f00b8558e7e)

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index dd870ebc75a5f69f1e8ebd8c6ef3500bf7640bc3..29c3aadf2ab069ddd692aac46198b72fcc908196 100644 (file)
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -773,8 +773,9 @@ via a notification as follows:
 
 >RSA_SIGN:[BASE64_DATA]
 
-The management interface client should then sign BASE64_DATA
-using the private key and return the SSL signature as follows:
+The management interface client should then create a PKCS#1 v1.5 signature of
+the (decoded) BASE64_DATA using the private key and return the SSL signature as
+follows:
 
 rsa-sig
 [BASE64_SIG_LINE]
@@ -783,8 +784,8 @@ rsa-sig
 .
 END
 
-Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a
-correct signature.
+Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign()
+(mbed TLS) will provide a correct signature.
 
 This capability is intended to allow the use of arbitrary cryptographic
 service providers with OpenVPN via the management interface.