Dear all,
when you use e.g. the sample X.509 certs from my website
http://www.kaiser.cx/downloads/x509PssEmptyParams.zip
and run
openssl x509 -in pssRootCert.pem -noout -text
the salt len has a duplicate 0x.
Signature Algorithm: rsassaPss
...
Salt Length: 0x0x14
Hi,
please find attached a trivial patch to correct the description of
-noout in the sess_id application. At the moment, it mentions a CRL,
that's probably a copypaste mistake. I modified it to match the
manpage.
Best regards,
Martin
From 8360cbb13ee0d52ec88e859678d8858e55332d58 Mon Sep 17
Hi Matt,
With regards to the patch itself, it is the idiom of many of the OpenSSL
command line apps to take a -outform argument. I think it would be more in
keeping with the intention of that argument if the patch were modified to use
-outform NSS instead of -keylog. Could you make the
Hi Hanno, all,
Thus wrote Hanno Boeck via RT (r...@openssl.org):
openssl genrsa 2001 test.key
openssl req -batch -new -x509 -sigopt rsa_padding_mode:pss -nodes -days 9
-key test.key test.crt
openssl verify -check_ss_sig -CAfile test.crt test.crt
I've had a quick look, the problem
Hello Steve,
Thus wrote Stephen Henson via RT (r...@openssl.org):
I've now committed code to the development branch which includes PSS
signature verification support.
thanks for committing this, it looks like a clean and generic approach.
(of course, it's a pity that most of my code didn't
Hello Steve,
thanks for your feedback.
Thus wrote Stephen Henson via RT (r...@openssl.org):
As has been indicated the PSS ASN1 module is incorrect. Does that
actually verify PSS signatures correctly with non-default algorithms?
I'd expect ASN1 parsing errors.
I got Francesco's point and
Dear OpenSSL team and all,
finally, here's my patch (against today's 1.1 snapshot) for verification
of X.509 certificates using an RSASSA-PSS signature. I believe it is
fairly complete in terms of checking parameters.
The patch follows the idea that I outlined in previous posts
- two new ASN.1
Dear all,
I'm still looking into pss support for X.509 certificates. So far, I
haven't received any feedback to my proposals in #1951, I assume you're
all busy lately. Anyway, I'm trying to progress things along the lines
of what I've proposed and hope for some feedback when I post the code.
On Tue, Nov 03, 2009 at 10:09:04AM +0100, Martin Kaiser via RT wrote:
If the parameter has neither ln nor sn, I suggest that -1 is returned.
The attached short patch against today's snapshot fixes this problem
Thinking about this again, would it make sense to add an error to the
queue like
Steve, all,
here's another idea in draft stage. Please give me feedback before I
start working out the details.
In obj_xref.txt, we define
rsassaPss undef rsaEncryption
We add two components for pss to rsa_st
struct rsa_st
Steve, all,
I recently found some more time to look into this. In order to make sure
that the next attempt is in line with the rest of the code, I need some
more discussion.
The decision table in obj_xref.txt seems to be the problem. This
doesn't work for PSS, you can't determine the digest
Steve, all,
The new pkey API was designed to avoid tieing digests to signature
algorithms (e.g. sha1 can now be used to handle RSA and DSA signatures).
i.e. you're going to remove the pkey_type field in the EVP_MD structure?
Having looked through the API and standards it seems this can't be
Dear all,
in the x509 manpage, the description of the -hash paramter is misleading
;-)
Patch is against 0.9.8-stable of March 10th.
Best regards,
Martin
--- x509.pod.orig 2009-03-10 22:42:58.0 +0100
+++ x509.pod2009-03-10 22:43:15.0 +0100
@@ -155,7 +155,7 @@
Dear all,
there's two small issues in RSA_X931_derive_ex(), both fips and non-fips
version.
ctx = BN_CTX_new();
BN_CTX_start(ctx);
The result of BN_CTX_new() is passed on to BN_CTX_start(), which
dereferences it without any further checks. This fails for ctx == NULL.
So does the following
Dear all,
the following patch against today's stable snapshot removes unused code
in asn1_write_micalg(). The calculated EVP_MD is never used.
Best regards,
Martin
diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/asn1/asn_mime.c
15 matches
Mail list logo