[openssl-users] X509 subject public key id-RSASSA-PSS
weber at infotech.de
weber at infotech.de
Tue Jun 27 10:28:52 UTC 2017
Am 26.06.2017 um 22:30 schrieb Benjamin Kaduk:
> On 06/25/2017 03:06 PM, weber at infotech.de wrote:
>> Dear OpenSSSL users,
>>
>> we recently came across a certificate with OID: id-RSASSA-PSS aka
>> rsassaPss in x509 subjects public key AlgorithmIdentifier.
>>
>> According to rfc4056 it is legitimate to use rsaEncryption or
>> id-RSASSA-PSS as OID for the subject public key.
>>
>> But when listing the certs's contents or during verification, openssl
>> v1.0.2h bails out:
>>> 12392:error:0609E09C:digital envelope
>>> routines:PKEY_SET_TYPE:unsupported algorithm:.\crypto\evp\p_lib.c:231:
>>> 12392:error:0B07706F:x509 certificate
>>> routines:X509_PUBKEY_get:unsupported
>>> algorithm:.\crypto\asn1\x_pubkey.c:148:
>> which is caused by failing to assign the proper ameth structure to
>> the key.
>>
>> Later in x_pubkey.c, only the method pub_decode is needed, which
>> seems to work for rsassa pubkeys.
>> So may we assign the same methods associated to rsaEncryption in this
>> case or are we breaking other functionality by doing so?
>
> It might be more interesting to just try using the current OpenSSL
> master branch (or a snapshot), which has more proper RSA-PSS support.
>
> -Ben
It's absolutely the same with Version 1.0.2l.
Due to time limitation we avoid updating to 1.1.0 as we assume that
there will be several adaptations neccessary ...
-- Christian Weber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170627/91a72025/attachment-0001.html>
More information about the openssl-users
mailing list