On 06/25/2017 03:06 PM, weber@xxxxxxxxxxx wrote:
Dear
OpenSSSL users,
we recently came across a certificate with OID: id-RSASSA-PSS aka
rsassaPss in x509 subjects public key AlgorithmIdentifier.
According to rfc4056 it is legitimate to use rsaEncryption or
id-RSASSA-PSS as OID for the subject public key.
But when listing the certs's contents or during verification,
openssl v1.0.2h bails out:
12392:error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported
algorithm:.\crypto\evp\p_lib.c:231:
12392:error:0B07706F:x509 certificate
routines:X509_PUBKEY_get:unsupported
algorithm:.\crypto\asn1\x_pubkey.c:148:
which is caused by failing to assign the proper ameth structure to
the key.
Later in x_pubkey.c, only the method pub_decode is needed, which
seems to work for rsassa pubkeys.
So may we assign the same methods associated to rsaEncryption in
this case or are we breaking other functionality by doing so?
It might be more interesting to just try using the current OpenSSL
master branch (or a snapshot), which has more proper RSA-PSS
support.
-Ben
|
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
