<div dir="ltr">Thanks for the detailed explanation.<div><br></div><div>So rsaEncryption cert can do both RSASSA-PKCS-v1_5 and RSASSA-PSS type signature. And also the digital signature present on the cert can be of type RSASSA-PKCS-v1_5 or RSASSA-PSS.</div><div><br></div><div>Currently in 1.1.1c's has_usable_cert() function, digital signature (Issuer's signature) present on rsaEncryption cert type is not checked. So if TLS1.3 client sends rsa_pss_rsae_xxx in "signature_algorithm" extension and if the server's rsaEncrypted cert has digital signature of type RSASSA-PKCS-v1_5, then it should not use that certificate but it is using currently.</div><div><br></div><div>And also the hash algorithm used on rsaEncryption cert's digital signature is not checked with "signature_algorithm" extension received from client. If TLS1.3 client sends rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512 in "signature_algorithm" extension, and if server has a rsaEncrypted cert with signature of type rsa_pss_rsae_sha256 then it should not use that certificate, but it is using currently.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2019 at 9:11 PM Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 06/06/2019 16:15, Raja Ashok wrote:<br>
> Hi,<br>
> <br>
> Currently has_usable_cert() function is called on tls_choose_sigalg() to find<br>
> out the suitable certificate available. But currently rsa_pkcs1_xxx and<br>
> rsa_pss_rsae_xxx certs are stored on same index SSL_PKEY_RSA. Because of this it<br>
> may ends in choosing rsa_pkcs1_xxx cert for rsa_pss_rsae_xxx extension. Is this<br>
> behaviour correct ?<br>
<br>
There are two things to consider:<br>
<br>
1) The OID in the RSA cert, which can be one of rsaEncryption or RSASSA-PSS. The<br>
former is for "traditional" RSA certs, whilst the latter *only* allows use of<br>
the key for signing (it cannot be used for encryption).<br>
<br>
2) The type of signing in use, e.g. RSASSA-PKCS-v1_5 or RSASSA-PSS.<br>
<br>
rsaEncryption certs are capable of doing *either* form of signing, whilst<br>
RSASSA-PSS certs can only do PSS signing.<br>
<br>
We store rsaEncryption certs under the SSL_PKEY_RSA index, and RSASSA-PSS certs<br>
under the SSL_PKEY_RSA_PSS_SIGN index.<br>
<br>
TLSv1.2 and below signs handshake messages using PKCS v1.5. which corresponds to<br>
these signature algorithms:<br>
<br>
rsa_pkcs1_sha256(0x0401)<br>
rsa_pkcs1_sha384(0x0501)<br>
rsa_pkcs1_sha512(0x0601)<br>
<br>
These sig algs cannot be used in TLSv1.3 for signing handshake messages,<br>
although they may appear in a ClientHello for backwards compatibility with<br>
TLSv1.2. You can only use these sig algs with "traditional" RSA certs (not PSS<br>
RSA certs).<br>
<br>
TLSv1.3 signs handshake messages using PSS which corresponds to these signature<br>
algorithms for "traditional" (rsaEncryption) certs:<br>
<br>
rsa_pss_rsae_sha256(0x0804)<br>
rsa_pss_rsae_sha384(0x0805)<br>
rsa_pss_rsae_sha512(0x0806)<br>
<br>
Or these signature algorithms for PSS certs:<br>
<br>
rsa_pss_pss_sha256(0x0809)<br>
rsa_pss_pss_sha384(0x080a)<br>
rsa_pss_pss_sha512(0x080b)<br>
<br>
Therefore it is perfectly correct behaviour that a cert stored under the<br>
SSL_PKEY_RSA index could be used for signing handshake message using either<br>
rsa_pkcs1_xxx or for rsa_pss_rsae_xxx. The former is used in TLSv1.2 and the<br>
latter is used in TLSv1.3.<br>
<br>
Matt<br>
</blockquote></div>