Closed Demi-Marie closed 4 years ago
Require that optional NULL parameters of RSA-PSS AlgorithmIds be omitted. This corresponds to a SHOULD in RFC8017 and simplifies verification.
Why do we make this a MUST? I'm not sure how I would implement a check for that in Go.
It’s a MUST on the generation side, not on the use side. The behavior on the use side is unspecified. libp2p-go-tls
doesn’t use RSA-PSS for generating certificates, so it isn’t affected.
That said, this isn’t particularly important, as libp2p-quic now supports all four valid encodings. I will remove it.
@marten-seemann can you re-review?
@marten-seemann ping
Thank you both! :heart:
NamedCurve
encoding of elliptic curve parameters to prevent “Whose Curve Is It Anyway” attacks.subjectUniqueId
andissuerUniqueId
fields in certificates. These fields are essentially unused, and the Rust implementation rejects certificates that have them.