On Wed, May 19, 2010, Martin Kaiser wrote: > Hello Bram, > > Thus wrote Bram Cymet (bcy...@cbnco.com): > > > I have been able to use RSA-PSS to sign some data with OpenSSL. I am > > wondering if OpenSSL supports creating certs where the signature > > algorithm uses RSA-PSS. In other words, when viewing the properties of > > the cert you would get: > > > Signature Algorithm: 1.2.840.113549.1.1.10 > > this was added to the 1.1 development branch some time ago, see > > http://www.openssl.org//news/changelog.html > > You can get it via CVS (http://www.openssl.org//source/repos.html) or > you download a daily snapsnot from ftp://ftp.openssl.org/snapshot/ >
Though the usage is currently undocumented. The 'req' and 'ca' commands take a -sigopt command line option which sets signing options in a way similar to the documented pkeyutil utility. So to generate the requests and certificates you just set the padding mode to PSS and the salt length if you wish. PSS signatures should be verified automatically. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org