On 26/04/2017 14:41, Ilari Liusvaara wrote: > On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote: >> >> The issue with RSA-PSS digital signatures is that they were defined >> with additional (unnecessary) parameters that are encoded (=hidden) in the >> ASN.1 AlgorithmIdentifier, and that are therefore unspecified when >> RSA-PSS is requested as (rsa-pss,sha-256) rather than with an ASN.1 >> AlgorithmIdentifier. > > TLS 1.3 specifies what values those parameters have for various > SignatureSchemes. > >> The additional, unnecessary parameters are "saltLen" and >> "MaskGenerationFunction" (MGF), and the commonly-used MaskGenerationFunction >> (mgf1) adds yet another additional, unnecessary parameter (MGF-internal >> hash). > > Also specified. >
For TLS message signatures yes. For signatures on certificates I think it is far less clear. For salt lengths the spec says: "When used in signed TLS handshake messages, the length of the salt MUST be equal to the length of the digest output." It says nothing about salt length restrictions (if any) on certificates. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shen...@drh-consultancy.co.uk, PGP key: via homepage. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls