On 19 February 2017 at 06:25, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > - Only the 3 TLS 1.3 variants of RSA-PSS are supported. Including in > 1.2 and certificates. > - When using RSA-PSS for SKE signature, the ciphersuite signature > algorithm is set to RSA. > - Ciphersuite signature algorithm is ignored on receipt. > - RSA-PSS SKE signatures are recognized from hash=8, algoritm=4, 5 or > 6 in DigitallySigned algorithm. The hash is determined from the > algorithm number. > - RSA-PSS certificate signatures are recognized by exact match to > precomposed algorithmidentifier values. > - RsaEncryption keys can be used to validate RSA-PKCS#1 v1.5 and > RSA-PSS signatures. > - RSA-PSS keys can be used to validate RSA-PSS only, not RSA-PKCS#1 > v1.5. > - Normally, any server RSA keys need to be RsaEncryption type, but > it is possible to force RSA-PSS key by some tricks.. > - If client indicated support for both RSA-PKCS#1 v1.5 and RSA-PSS > and RSA key is selected, RSA-PSS is preferred.
NSS does all of this too. With the only difference being in server configuration. Server RSA keys are used for PKCS#1 and PSS if they are of the rsaEncryption type, and RSA-PSS keys - as determined by the OID in the certificate SPKI - are only used for PSS. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls