Thanks. Now all I need to do is figure out what parameter to pass the req or ca command to get the get the subject key info to accept the new algorithm. -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Jakob Bohm Sent: Wednesday, October 25, 2017 6:49 PM To: openssl-users@xxxxxxxxxxx Subject: Re: RSA-PSS Certificate On 26/10/2017 03:30, Steven Madwin via openssl-users wrote: > > Starting with the definition of the subjectPublicKeyInfo from RFC > 5280, Section 4.1 ? Basic Certificate fields we see that the entry > contains two items: > > SubjectPublicKeyInfo ::= SEQUENCE { > > algorithm AlgorithmIdentifier, > > subjectPublicKey BIT STRING } > > In RFC 4055 - Additional Algorithms and Identifiers for RSA > Cryptography for use in the Internet X.509 Public Key Infrastructure > Certificate and Certificate Revocation List (CRL) Profile, Section 3 > it states, ?CAs that use the RSASSA-PSS algorithm for signing > certificates SHOULD include RSASSA-PSS-params in the > subjectPublicKeyInfo algorithm parameters in their own certificates.? > > This all leads to me wondering if anyone is aware if there is a plan > afoot to add the option of including the RSA-PSS params as a third > item in the Subject Public Key Info entry in a future version of OpenSSL? > In the X.509 standard, "AlgorithmIdentifier" is itself a structure (see for example RFC5280 section 4.1.1.2). The RSASSA-PSS-params is the second element of that structure. See RFC4055 section 6 for some (bad) examples of AlgorithmIdentifier values, such as rSASSA-PSS-SHA512-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSSASSA-PSS-SHA512-params } rSSASSA-PSS-SHA512-params RSASSA-PSS-params ::= { hashAlgorithm sha512Identifier, maskGenAlgorithm mgf1SHA512Identifier, saltLength 20, trailerField 1 } -- Note: The saltLength should be 64, not 20, for -- rSSASSA-PSS-SHA512-param, see RFC4055 section 3.1 Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wisemo. com&data=02%7C01%7C%7C1c955d8fda014c805e2e08d51c13ca2d%7Cfa7b1b5a7b34438794a ed2c178decee1%7C0%7C0%7C636445793698999630&sdata=izbl%2F1JP%2BpWj616mFxiNAaO frEFAXrD6JIXjFw7L%2FdY%3D&reserved=0 Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl .org%2Fmailman%2Flistinfo%2Fopenssl-users&data=02%7C01%7C%7C1c955d8fda014c80 5e2e08d51c13ca2d%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C63644579369899 9630&sdata=rOOgAhtfdLrxpnua8Ncipz4poNQ6O8X%2FFQFID2API5c%3D&reserved=0
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
