<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Am 26.06.2017 um 22:30 schrieb Benjamin Kaduk:<br>
<blockquote type="cite"
cite="mid:4f12100c-9c5e-f4ef-2b37-4f3074b06bda@akamai.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
On 06/25/2017 03:06 PM, <a class="moz-txt-link-abbreviated"
href="mailto:weber@infotech.de" moz-do-not-send="true">weber@infotech.de</a>
wrote:<br>
<blockquote type="cite"
cite="mid:a0cff93b-f23c-631e-580c-ffc0ab595115@infotech.de">Dear
OpenSSSL users, <br>
<br>
we recently came across a certificate with OID: id-RSASSA-PSS
aka rsassaPss in x509 subjects public key AlgorithmIdentifier. <br>
<br>
According to rfc4056 it is legitimate to use rsaEncryption or
id-RSASSA-PSS as OID for the subject public key. <br>
<br>
But when listing the certs's contents or during verification,
openssl v1.0.2h bails out: <br>
<blockquote type="cite">12392:error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported
algorithm:.\crypto\evp\p_lib.c:231: <br>
12392:error:0B07706F:x509 certificate
routines:X509_PUBKEY_get:unsupported
algorithm:.\crypto\asn1\x_pubkey.c:148: <br>
</blockquote>
which is caused by failing to assign the proper ameth structure
to the key. <br>
<br>
Later in x_pubkey.c, only the method pub_decode is needed, which
seems to work for rsassa pubkeys. <br>
So may we assign the same methods associated to rsaEncryption in
this case or are we breaking other functionality by doing so? <br>
</blockquote>
<br>
It might be more interesting to just try using the current OpenSSL
master branch (or a snapshot), which has more proper RSA-PSS
support.<br>
<br>
-Ben<br>
</blockquote>
<br>
It's absolutely the same with Version 1.0.2l. <br>
Due to time limitation we avoid updating to 1.1.0 as we assume that
there will be several adaptations neccessary ...<br>
<br>
-- Christian Weber<br>
</body>
</html>