Closed lwithers closed 7 years ago
/cc @agl @ianlancetaylor Should this go in 1.8? How important are RSA-PSS certificates? Are they used in the wild?
I don't believe that any of the big-name certificate authorities are currently issuing RSA-PSS certificates, so they are likely to be quite uncommon in the wild.
However, there are some applications that use them. The certificate I attached is part of a list curated and published by the ICAO (International Civil Aviation Organisation) in what it calls the PKD (public key directory; see http://www.icao.int/security/mrtd/pages/ICAOPKD.aspx). These are basically the certificates used to verify the signatures in ePassports.
CL https://golang.org/cl/24743 mentions this issue.
As requested in the CL, here is a set of test certificates, along with some tools to verify the signatures: RSA-PSS.tar.gz
Thank you very much for the test set. I've updated the CL with the following changes:
With that, all the test certificates validate.
Attempting to verify an RSA certificate which has been signed using PSS will fail with an error
x509: cannot verify signature: algorithm unimplemented
.This can be observed with this (self-signed) certificate, which can be validated with e.g.
openssl verify -CAfile root.pem root.pem
.There is also a simple demonstration program at https://play.golang.org/p/bO_qiPmi9k
I have tried this with both:
on this machine: