[openssl-dev] certificate signing using rsa pss algorithm?
weber at infotech.de
weber at infotech.de
Mon Nov 16 12:14:52 UTC 2015
Thanks for your reply.
Am 12.11.2015 um 18:45 schrieb Stefan.Neis at t-online.de:
> Hi,
>
> You might want to upgrade to OpenSSL-1.0.2 which seems to support the
> RSA PSS algorithm, see https://openssl.org/news/changelog.html#x5.
>
> Regards,
> Stefan
...
we are up to the most current version, i.e. Snippet OpenSSL 1.0.2d 9 Jul
2015.
Trying the commandline tool
> openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -out
> rca.pubcert.pem -keyout rca.privkey.pem -pkeyopt rsa_padding_mode:pss
> -pkeyopt rsa_pss_saltlen:-2 -passin pass:
... leads to ...
> Loading 'screen' into random state - done
> parameter error "rsa_padding_mode:pss"
> 10584:error:0408F090:rsa routines:PKEY_RSA_CTRL:illegal or unsupported
> padding mode:.\crypto\rsa\rsa_pmeth.c:517:
> 10584:error:06089093:digital envelope
> routines:EVP_PKEY_CTX_ctrl:command not
> supported:.\crypto\evp\pmeth_lib.c:405:
...
Since we found explicit exclusion of PSS padding for cert signing in
.\crypto\rsa\rsa_pmeth.c:501, we guess PSS signing of certificates is
currently not officially supported.
So we've just asked for the reason why, since we're looking for
certificates which may satisfy security needs for decades.
Regards
--
Christian Weber
More information about the openssl-dev
mailing list