r0g3r3k
commented
3 weeks ago I have hit the same issue. Problem is that PSS signatures have non-NULL parameters, see RFC 5280, section 4.1.1.2, https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.2
But this fails in BERDecodeAlgorithmParameters() which calls BERDecodeNull()
Hello,
I've tried creating a cert as follows with openssl
openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:2048 -out root.key openssl req -new -key root.key -out root.csr -config root_req.config openssl ca -in root.csr -out root.crt -config root.config -selfsign -extfile ca.ext -days 7305 openssl x509 -in root.crt -outform PEM -out root.pem
then in my C++ code: StringSource ss(certStr, true);
It will fail eventually down the path and with some debugging it appears it fails at the BERDecodeSignatureAlgorithm(tbsCertificate, m_subjectSignatureAlgortihm);. More specifically at bool parametersPresent = seq.EndReached() ? false : BERDecodeAlgorithmParameters(seq); where it reaches BERDecodeAlgorithmParameters.
I have not tried dumpasn as I do not have it installed, but I assume sequence is different and is causing problems.
Basically, I am trying to generate certificate that uses PSS with SHA256 in order to avoid SonarLint complaining about PCKS1v15 being not secure enough. I am trying to make my web server generate a certificate for the user and the user inputs the cert to an app for verification that it was signed by the server CA. I am new to crypto and certs so I may be doing some things wrong. It seems OAEP is the right thing to use but I have no idea how to generate this or use it with cryptopp and x509certificate libs?
Thanks, Frank