search

awslabs / aws-greengrass-labs-certificate-rotator

Greengrass component and companion cloud backend for rotating the core device certificate and private key
Apache License 2.0
11 stars 2 forks source link

Support RSA PSS signing algorithms for the CSR signature #17

Closed gregbreen closed 4 months ago

gregbreen commented 10 months ago

AWS IoT Core recently added support for RSA PSS signing algorithms: https://aws.amazon.com/about-aws/whats-new/2023/07/aws-iot-core-new-certificate-signing-key-generation-algorithms/

This allows for workflows such as:

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -sha256 -out csr.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
aws iot create-certificate-from-csr --certificate-signing-request=file://csr.pem

Such workflows are possible with python-pkcs11 and asn1crypto, but not possible with cryptography 41.x. Issue raised: https://github.com/pyca/cryptography/issues/9467. The enhancement will be shipped in cryptography 42.0. Then this component can add support for RSA PSS signing algorithms for the CSR.

gregbreen commented 4 months ago

Python cryptography 42.0 was released Jan 22.