Hello, I've tried creating a cert as follows with openssl
openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:2048 -out root.key openssl req -new -key root.key -out root.csr -config root_req.config openssl ca -in root.csr -out root.crt -config root.config -selfsign -extfile ca.ext -days 7305 openssl x509 -in root.crt -outform PEM -out root.pem then in my C++ code: StringSource ss(certStr, true); PEM_Load(ss, m_Cert); It will fail eventually down the path and with some debugging it appears it fails at the BERDecodeSignatureAlgorithm(tbsCertificate, m_subjectSignatureAlgortihm);. More specifically at bool parametersPresent = seq.EndReached() ? false : BERDecodeAlgorithmParameters(seq); where it reaches BERDecodeAlgorithmParameters. I have not tried dumpasn as I do not have it installed, but I assume sequence is different and is causing problems. Basically, I am trying to generate certificate that uses PSS with SHA256 in order to avoid SonarLint complaining about PCKS1v15 being not secure enough. I am trying to make my web server generate a certificate for the user and the user inputs the cert to an app for verification that it was signed by the server CA. I am new to crypto and certs so I may be doing some things wrong. It seems OAEP is the right thing to use but I have no idea how to generate this or use it with cryptopp and x509certificate libs? Thanks, Frank On Monday, April 15, 2024 at 10:00:49 AM UTC-4 Jeffrey Walton wrote: > On Mon, Apr 15, 2024 at 9:18 AM Frank Sapone <[email protected]> wrote: > >> NVM, it appears PSSR is considered more secure and this should work with >> the verifier > > > My bad, you should visit < > https://www.cryptopp.com/wiki/RSA_Signature_Schemes>. > > Jeff > > On Friday, April 12, 2024 at 12:20:56 PM UTC-4 Jeffrey Walton wrote: >> >>> On Friday, April 12, 2024 at 12:19:32 PM UTC-4 [email protected] >>> wrote: >>> >>> Hello, I am using Windows 10 Professional x64 with CryptoPP 8.9.0. It >>> is built with Visual Studio. We started using SonarQube/SonarLint for SCA >>> during compile and it's been complaining "Use a stronger padding scheme". >>> Specifically it sees this line: >>> >>> RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey); >>> >>> and complains about the PCKS1v15. I don't know how to change it to a >>> different type and what other ones are available. It suggests OAEP for RSA >>> which is what I assume we want. >>> >>> >>> https://www.cryptopp.com/wiki/RSA_Encryption_Schemes >>> >>> -- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/cfcb0483-9b22-4c84-b8f4-9b92c8385337n%40googlegroups.com.
