It seems that openssl has a problem with pss certificates and uncommon rsa key sizes. For all keysizes with "keysize mod 8 = 1" (or keysize = n*8+1), verification of a self-signed test cert fails.
I've not yet investigated if it's the generation or the verification code that is wrong, it's probably related to the emBits variable from the emsa-pss- verify/encode-code. Check with this: openssl genrsa 2007 > test.key openssl req -batch -new -x509 -sigopt rsa_padding_mode:pss -nodes -days 99999 -key test.key > test.crt openssl verify -check_ss_sig -CAfile test.crt test.crt Output of the last command is: 139831192893096:error:0407E06D:rsa routines:RSA_verify_PKCS1_PSS:data too large:rsa_pss.c:127: 139831192893096:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:215: Tested with openssl-SNAP-20100808. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
