Re: RSA-PSS Certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/10/2017 03:30, Steven Madwin via openssl-users wrote:

Starting with the definition of the subjectPublicKeyInfo from RFC 5280, Section 4.1 – Basic Certificate fields we see that the entry contains two items:

SubjectPublicKeyInfo ::= SEQUENCE {

algorithm AlgorithmIdentifier,

subjectPublicKey BIT STRING }

In RFC 4055 - Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, Section 3 it states, “CAs that use the RSASSA-PSS algorithm for signing certificates SHOULD include RSASSA-PSS-params in the subjectPublicKeyInfo algorithm parameters in their own certificates.”

This all leads to me wondering if anyone is aware if there is a plan afoot to add the option of including the RSA-PSS params as a third item in the Subject Public Key Info entry in a future version of OpenSSL?


In the X.509 standard, "AlgorithmIdentifier" is itself a structure (see
for example RFC5280 section 4.1.1.2).  The RSASSA-PSS-params is the
second element of that structure.  See RFC4055 section 6 for some (bad)
examples of AlgorithmIdentifier values, such as

rSASSA-PSS-SHA512-Identifier  AlgorithmIdentifier  ::=  {
                              algorithm id-RSASSA-PSS,
                              parameters rSSASSA-PSS-SHA512-params }

rSSASSA-PSS-SHA512-params RSASSA-PSS-params ::= {
                              hashAlgorithm sha512Identifier,
                              maskGenAlgorithm mgf1SHA512Identifier,
                              saltLength 20,
                              trailerField 1  }


-- Note: The saltLength should be 64, not 20, for
--    rSSASSA-PSS-SHA512-param, see RFC4055 section 3.1


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux