> [[email protected] - Mon Jun 08 10:46:29 2009]: > > > The attached patch against openssl-SNAP-20090607 adds support for X.509 > certificates that contain an RSASSA-PSS signature (see PKCS1 #2.1 and > RFC 4055). > > At the moment, only verification is supported, PSS parameters must be > the default ones (either omitted or coded explicitly). > > The main idea of the patch is to use a new EVP_MD for "sha1 coupled to > PSS", see my mail from 1st of June ([email protected]). >
The new pkey API was designed to avoid tieing digests to signature algorithms (e.g. sha1 can now be used to handle RSA and DSA signatures). Having looked through the API and standards it seems this can't be avoided without some extensions to the EVP_PKEY API. I'll look into how that could be done when I'm not snowed under with other tasks. Do you have some examples of certificates signed with PSS? They would be useful for testing purposes. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
