Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose PKCS_RSA_PSS_SHA256 for CSR generation #272

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Expose PKCS_RSA_PSS_SHA256 for CSR generation #272

wants to merge 3 commits into from
+89 −23

Commits on Jun 3, 2024

  1. Expose PKCS_RSA_PSS_SHA256 for CSR generation 

    Make PKCS_RSA_PSS_SHA256 a publicly accessible algorithm so that
CSRs can be created for RSA PSS.

The default salt_len value for RSA PSS SHA256 is the current value,
20.
However, the only application that we currently know can use the
generated RSA PSS CSRs is Parsec https://github.com/parallaxsecond/parsec
which requires a salt length of 32 to work with OPENSSL.

 * Change this value to 32 to be compatible with OpenSSL.

On this topic, the spec states:
"When signing, it is RECOMMENDED that the parameters, except for
possibly saltLength, remain fixed for all usages of a given RSA key
pair"; and this is the value we are changing.

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
    @tgonzalezorlandoarm
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    95801d8 View commit details
    Browse the repository at this point in the history

  2. Add PKCS_RSA_PSS_SHA384 _SHA512 variants 

    A previous commit has added PKCS_RSA_PSS_SHA256 and made it publicly
available.

 * Replicate the same behaviour for PKCS_RSA_PSS_SHA384 and
   PKCS_RSA_PSS_SHA512

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
    @tgonzalezorlandoarm
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    c040537 View commit details
    Browse the repository at this point in the history

  3. [TEMP] tests/openssl: Enable PKCS_RSA_PSS_SHA256 certificate tests 

    Only enable PKCS_RSA_PSS_SHA256 and not the rest of the variants as
the tests for that are currently failing. Use aws_lc_rs for testing
as supposedly this one does support PSS keys while ring does not.

 * Fix a logic error in the test in which verify_cert_basic was being
   run when verify_cert should have been and viceversa.

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
    @tgonzalezorlandoarm
    tgonzalezorlandoarm committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    f571744 View commit details
    Browse the repository at this point in the history