ruby
OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS
I had the same problem, see https://github.com/ruby/openssl/issues/562, to open a key and got the error OpenSSL::PKey::RSAError: incorrect pkey type: RSASSA-PSS.
So I used the mentioned method and called OpenSSL::PKey.read.
But now I have a problem to sign a JWT with the algorithm RSASSA-PSS:
JWT.encode({}, key, "ps256")
# This returns:
# NoMethodError: undefined method `sign_pss' for #<OpenSSL::PKey::PKey oid=RSASSA-PSS>
You can currently use OpenSSL::PKey::PKey#sign to do RSA-PSS without needing the RSA#sign_pss. The test code may be useful for you today: https://github.com/ruby/openssl/blob/9569999f7654dd369181f53dae5481429042dcc2/test/openssl/test_pkey_rsa.rb#L96-L116
I wonder if we could add a PKey class for EVP_PKEY_RSA_PSS. I think #sign_pss and #verify_pss should just work on the pkey object decoded from PKCS#8.
EVP_PKEY_RSA_PSS seems to be just a variant of EVP_PKEY_RSA that contains default parameters for RSA-PSS and is locked to RSA-PSS operations.
I'm having the same issue. I'm trying to sign a JWT with a RSASSA-PSS1 private key (created with openssl req -newkey rsa-pss).
Not sure I follow the suggestion. Using #sign instead of #sign_pss does not work.
# jwt-2.7.1/lib/jwt/algos/ps.rb:19
key.sign(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
Throws:
OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "salt_length", "digest"): command not supported ([action:2, state:4] name=salt_length, value=digest)
@Anstuhrm Did you mange to work around this?
It does seem to work with:
key.sign(translated_algorithm, msg)
I have no idea what I'm doing here, frankly. Can someone elaborate?