rustls
Support all signature algorithms
See https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.4.2.3 for a full list of signature algos.
So far missing:
- [x] PKCS_RSA_SHA384 → a5316e18295fc9dd92031b6039cd18c4549601db
- [x] PKCS_RSA_SHA512 → f9fe8c596b712796a3e8a0ee19907e4d6f5dfe36
- [ ] PKCS_RSA_PSS_SHA256
- [ ] PKCS_RSA_PSS_SHA384
- [ ] PKCS_RSA_PSS_SHA512
- [ ] PKCS_ECDSA_P521_SHA512 (depends on https://github.com/briansmith/ring/issues/824)
- [ ] PKCS_ED448 (depends on https://github.com/briansmith/ring/issues/463)
The non-RSA based algos are blocked by ring support, while RSA based algos haven't been much of a priority for me because ring has no key generation support. I'm open to adding them though.
I see. While there is no key generation support, we can at least load them from a file.
I've tried adding RSA_PSS support in b2733e86011de5ad08f4e54d2231b103f5d56495 but didn't get it to work. So I made support non-pub for now. See also 46bf2eff0b5f8eac1fb8ddf7cc807e168277e3a4 . One could say it's blocked on https://github.com/briansmith/ring/issues/1353 , but I'm not sure.
I might try to build a remote KeyPair that can ingest openssl keys. Based on that I could build support for the remaining signature algorithms.
I created a tool in go to generate certs signed with different algos: https://gist.github.com/kpp/c9c84411e17f4b27dddf0d438b289862#file-main-go with hardcoded var signatureScheme = tls.PSSWithSHA384. You can use that. I was never able to generate valid PSS certs with openssl.
* [ ] PKCS_ECDSA_P521_SHA512 (depends on [NIST curve P-521 SHA-512 support for generating keys and signing briansmith/ring#824](https://github.com/briansmith/ring/issues/824))
Can't this be supported now, with the aws_lc_rs feature? If the support is still desired and currently possible, I could try to work on a PR to add the support.
@Alvenix yeah, that probably makes sense. Would be great if you can submit a PR for this!
