Refuse mbed TLS external key with non RSA certificates

The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.

Instead fail early and provide a clear message that only RSA keys are
supported.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 3a0b5641cfe1ef3e3dfb786592fc25168c2a7cb6..f7e8c2d084d2da1b526eb91bc4f791facfcca83b 100644 (file)
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
         return 1;
     }
 
+    if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
+    {
+        msg(M_WARN, "ERROR: external key with mbed TLS requires a "
+                     "certificate with an RSA key.");
+        return 1;
+    }
+
     ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk);
     ctx->external_key.sign = sign_func;
     ctx->external_key.sign_ctx = sign_ctx;