On 06/25/2017 03:06 PM, we...@infotech.de wrote: > Dear OpenSSSL users, > > we recently came across a certificate with OID: id-RSASSA-PSS aka > rsassaPss in x509 subjects public key AlgorithmIdentifier. > > According to rfc4056 it is legitimate to use rsaEncryption or > id-RSASSA-PSS as OID for the subject public key. > > But when listing the certs's contents or during verification, openssl > v1.0.2h bails out: >> 12392:error:0609E09C:digital envelope >> routines:PKEY_SET_TYPE:unsupported algorithm:.\crypto\evp\p_lib.c:231: >> 12392:error:0B07706F:x509 certificate >> routines:X509_PUBKEY_get:unsupported >> algorithm:.\crypto\asn1\x_pubkey.c:148: > which is caused by failing to assign the proper ameth structure to the > key. > > Later in x_pubkey.c, only the method pub_decode is needed, which seems > to work for rsassa pubkeys. > So may we assign the same methods associated to rsaEncryption in this > case or are we breaking other functionality by doing so?
It might be more interesting to just try using the current OpenSSL master branch (or a snapshot), which has more proper RSA-PSS support. -Ben
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users