I don't believe we have the right functions bound to do PSS signing (X509_sign_ctx is missing and there may be more). We also don't have the ability to properly parse PSS X509 because OpenSSL didn't add the ability to look at X509 PSS params until a recent 1.1.1 version.
If you're interested in adding support we'd be happy to take a patch (or probably several separate ones), but this is likely to be a complex piece of work requiring conditional bindings, numerous tests, and quite a few new vectors. -Paul On Thu, Sep 24, 2020 at 6:58 AM Dávid Bence <bence...@gmail.com> wrote: > Hi all, > > I am trying to sign X509 certificates, however not with the default > signature algorithm RSA_WITH_SHA256 with the oid "1.2.840.113549.1.1.11" > but with the RSASSA_PSS one with oid "1.2.840.113549.1.1.10" for which > as far as I know there is not really a possibility currently. I saw the > related issue: https://github.com/pyca/cryptography/issues/2850 is still > open. I am doing this for backwards compatibility reasons but I have not > really found a way yet to circumvent the problem. Is it possible to use the > low level OpenSSL API functions directly? I succeeded in calling some > functions with "default_backend()._lib.xxx" but I have not found everything > I need. > > Can somebody suggest a solution? > > Many thanks, > Bence > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev