rustls
Expose PKCS_RSA_PSS_SHA256 for CSR generation
Make PKCS_RSA_PSS_SHA256 a publicly accessible algorithm so that CSRs can be created for RSA PSS.
This has been tested with https://github.com/parallaxsecond/parsec on this parsec-tool PR with the patched rcgen crate. Please check the results of openssl CSR verification in the CI run
For this to work with Parsec, this needs to be backported to v0.9.x The tests are not enabled as parsec is not used during testing.
This PR was opened as a Draft to discuss:
- Where should the SALTLEN be set to 32 (do we need a separate SignatureAlgorithm for this ? )
- Backporting to the v0.9.x branch to make this compatible with Parsec.
- Testing the patch in rcgen ?
- Enabling SHA384 the same way as done in the mentioned parsec-tool PR (SHA384 has not been tested with parsec-tool yet).
@cpu @djc this is a Draft PR just because it needs some discussion first
Why doesn't the parsec tool update to rcgen 0.13? I don't know that we'd want to backport to 0.9.
Just leaving a note that I'll be travelling for the next week and probably won't have a chance to review this before then.
I understand why you wouldn't want to backport, we'll have the parsec-tool update to rcgen 0.13.x.
Hi!
I have:
- Squashed the commits as @cpu requested.
- Added a commit for taking into account the rest of the variants (SHA384 and SHA512).
- Tried adding a test with
aws-lc-rs. Unfortunately, as shown in the CI, this fails with an "unable to get certs public key" error Taking a look in the aws-lc-rs tests, the generated signature value is not being tested, and taking a look at their code, they are setting the salt length following the convention mentioned by @cpu in this PR (same as we are doing in here).
I apologize for the delay, I have been busy with the recent release of our parsec openssl provider, with which we are able to perform a TLS handshake, using a CSR created with rcgen (with a ParsecRemoteKeyPair) for an RSA key with PSS signing.