[openssl-users] X509 subject public key id-RSASSA-PSS

weber at infotech.de weber at infotech.de
Sun Jun 25 20:06:10 UTC 2017

Dear OpenSSSL users,

we recently came across a certificate with OID: id-RSASSA-PSS aka 
rsassaPss in x509 subjects public key AlgorithmIdentifier.

According to rfc4056 it is legitimate to use rsaEncryption or 
id-RSASSA-PSS as OID for the subject public key.

But when listing the certs's contents or during verification, openssl 
v1.0.2h bails out:
> 12392:error:0609E09C:digital envelope 
> routines:PKEY_SET_TYPE:unsupported algorithm:.\crypto\evp\p_lib.c:231:
> 12392:error:0B07706F:x509 certificate 
> routines:X509_PUBKEY_get:unsupported 
> algorithm:.\crypto\asn1\x_pubkey.c:148:
which is caused by failing to assign the proper ameth structure to the key.

Later in x_pubkey.c, only the method pub_decode is needed, which seems 
to work for rsassa pubkeys.
So may we assign the same methods associated to rsaEncryption in this 
case or are we breaking other functionality by doing so?

Christian Weber

More information about the openssl-users mailing list