[openssl-users] X509 subject public key id-RSASSA-PSS

weber at infotech.de weber at infotech.de
Tue Jun 27 10:28:52 UTC 2017


Am 26.06.2017 um 22:30 schrieb Benjamin Kaduk:
> On 06/25/2017 03:06 PM, weber at infotech.de wrote:
>> Dear OpenSSSL users,
>>
>> we recently came across a certificate with OID: id-RSASSA-PSS aka 
>> rsassaPss in x509 subjects public key AlgorithmIdentifier.
>>
>> According to rfc4056 it is legitimate to use rsaEncryption or 
>> id-RSASSA-PSS as OID for the subject public key.
>>
>> But when listing the certs's contents or during verification, openssl 
>> v1.0.2h bails out:
>>> 12392:error:0609E09C:digital envelope 
>>> routines:PKEY_SET_TYPE:unsupported algorithm:.\crypto\evp\p_lib.c:231:
>>> 12392:error:0B07706F:x509 certificate 
>>> routines:X509_PUBKEY_get:unsupported 
>>> algorithm:.\crypto\asn1\x_pubkey.c:148:
>> which is caused by failing to assign the proper ameth structure to 
>> the key.
>>
>> Later in x_pubkey.c, only the method pub_decode is needed, which 
>> seems to work for rsassa pubkeys.
>> So may we assign the same methods associated to rsaEncryption in this 
>> case or are we breaking other functionality by doing so?
>
> It might be more interesting to just try using the current OpenSSL 
> master branch (or a snapshot), which has more proper RSA-PSS support.
>
> -Ben

It's absolutely the same with Version 1.0.2l.
Due to time limitation we avoid updating to 1.1.0 as we assume that 
there will be several adaptations neccessary ...

-- Christian Weber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170627/91a72025/attachment-0001.html>


More information about the openssl-users mailing list