Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose PKCS_RSA_PSS_SHA256 for CSR generation #272

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Commits on Jun 3, 2024

  1. Expose PKCS_RSA_PSS_SHA256 for CSR generation

    Make PKCS_RSA_PSS_SHA256 a publicly accessible algorithm so that
    CSRs can be created for RSA PSS.
    
    The default salt_len value for RSA PSS SHA256 is the current value,
    20.
    However, the only application that we currently know can use the
    generated RSA PSS CSRs is Parsec https://github.com/parallaxsecond/parsec
    which requires a salt length of 32 to work with OPENSSL.
    
     * Change this value to 32 to be compatible with OpenSSL.
    
    On this topic, the spec states:
    "When signing, it is RECOMMENDED that the parameters, except for
    possibly saltLength, remain fixed for all usages of a given RSA key
    pair"; and this is the value we are changing.
    
    Signed-off-by: Tomás González <[email protected]>
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    95801d8 View commit details
    Browse the repository at this point in the history
  2. Add PKCS_RSA_PSS_SHA384 _SHA512 variants

    A previous commit has added PKCS_RSA_PSS_SHA256 and made it publicly
    available.
    
     * Replicate the same behaviour for PKCS_RSA_PSS_SHA384 and
       PKCS_RSA_PSS_SHA512
    
    Signed-off-by: Tomás González <[email protected]>
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    c040537 View commit details
    Browse the repository at this point in the history
  3. [TEMP] tests/openssl: Enable PKCS_RSA_PSS_SHA256 certificate tests

    Only enable PKCS_RSA_PSS_SHA256 and not the rest of the variants as
    the tests for that are currently failing. Use aws_lc_rs for testing
    as supposedly this one does support PSS keys while ring does not.
    
     * Fix a logic error in the test in which verify_cert_basic was being
       run when verify_cert should have been and viceversa.
    
    Signed-off-by: Tomás González <[email protected]>
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    f571744 View commit details
    Browse the repository at this point in the history