On Sat, Feb 18, 2017 at 06:22:23PM +0000, Dr Stephen Henson wrote: > On 18/02/2017 16:26, Viktor Dukhovni wrote: > > On Sat, Feb 18, 2017 at 02:31:19AM +0000, Dr Stephen Henson wrote: > > > >> > >> For example could a TLS 1.2 server legally present a certificate > >> containing an > >> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client > >> present > >> a certificate contain an RSASSA-PSS key? > > > > Isn't an RSA public key independent of the signature algorithms it > > might be employed with? If the EE cert has an RSA key, and RSA-PSS > > is not negotiated, can't the peer (client or server) just sign with > > PKCS#1? So the same EE cert would then be valid for either PSS or > > PKCS#1? Or have I missed the memo on how PSS works with EE certs? > > > > The most commonly deployed certificates containing RSA keys use rsaEncryption > (1 > 2 840 113549 1 1 1). For those the key can be used for PKCS#1 and PSS. > > There is however a second OID id-RSASSA-PSS defined in RFC4055 et al. With > that > OID the key can only be legally used for PSS (with possible additional > restrictions) and not PKCS#1. That algorithm OID in EE certs was unusable for > TLS before 1.3 as the signature was always PKCS#1. As a result very few such > certificates have been seen in the wild, but (as mentioned in other threads) > they MUST be supported in TLS 1.3 (rsa_pss_sha256 is a mandatory algorithm). > > My question was whether this implied TLS 1.2 implementations (that include PSS > in the signature algorithms extension) must support them too.
The behaviour of implementation I have been writing in regards to RSA-PSS: - Only the 3 TLS 1.3 variants of RSA-PSS are supported. Including in 1.2 and certificates. - When using RSA-PSS for SKE signature, the ciphersuite signature algorithm is set to RSA. - Ciphersuite signature algorithm is ignored on receipt. - RSA-PSS SKE signatures are recognized from hash=8, algoritm=4, 5 or 6 in DigitallySigned algorithm. The hash is determined from the algorithm number. - RSA-PSS certificate signatures are recognized by exact match to precomposed algorithmidentifier values. - RsaEncryption keys can be used to validate RSA-PKCS#1 v1.5 and RSA-PSS signatures. - RSA-PSS keys can be used to validate RSA-PSS only, not RSA-PKCS#1 v1.5. - Normally, any server RSA keys need to be RsaEncryption type, but it is possible to force RSA-PSS key by some tricks.. - If client indicated support for both RSA-PKCS#1 v1.5 and RSA-PSS and RSA key is selected, RSA-PSS is preferred. Nearly all of this just falls from the TLS 1.3 support. The only version-specific part is knowing to set RSA certificate algorithm if RSA-PSS was chosen (and this is controlled by one bitmask).. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
