Help/Feature Request: X509 Certificate Builder PublicKey RSA-PSS OID support

[VaderBV]

Hi,

I am using the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.

I am able to build the certificate successfully.

But, when I parse the DER serialized certificate using ASN.1 Parser, I notice that the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.

Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?

I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.

Thanks

[alex]

See the rsa_padding argument https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.sign

On Wed, Mar 27, 2024, 9:18 AM VaderBV @.***> wrote:

Hi,

I am trying to use the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.

I am able to get the certificate successfully. But, when I parse the DER serialized certificate using ASN.1 Parser, the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.

Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?

I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.

Thanks

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10655, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBCIRKWIEZZFSJAGI53Y2LBJBAVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTANZYGUYTOOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[VaderBV]

Hi @alex , thanks for the reply!

I am aware of the rsa_padding argument while signing using the root CA.

However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key. https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key

When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm.

I am trying to understand if it is possible for this subjectPublicKeyInfo - Algorithm OID to be id-RSASSA-PSS OID. I have attached the ASN.1 parsed example of a certificate to showcase the above.

[alex]

Ahh, sorry I misunderstood. No, there's currently no way to do this

On Wed, Mar 27, 2024, 9:44 AM VaderBV @.***> wrote:

Hi @alex https://github.com/alex , thanks for the reply!

I am aware of the rsa_padding argument while signing using the root CA.

However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key.

https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key

When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm.

I am trying to understand if it is possible for this subjectPublicKeyInfo

• Algorithm OID to be id-RSASSA-PSS OID. I have attached the ASN.1 parsed example of a certificate I generated using openssl to showcase the above. image.png (view on web) https://github.com/pyca/cryptography/assets/54500859/81025478-8860-4cf9-a2c5-cbf2ece95db0

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10655#issuecomment-2022807778, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBAZFVII2RGBASPZ7W3Y2LEK7AVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRSHAYDONZXHA . You are receiving this because you were mentioned.Message ID: @.***>

[VaderBV]

Hi,

As a follow-up question, is it possible to add support to generate rsa-pss keys ?

Using openssl it is possible to generate rsa-pss keys, but I wasn't able to do it neither with cryptography nor with pyOpenSSL.

However, I was able to load the rsa-pss key from a pem file using pyOpenSSL and was able to use it to generate a certificate with SubjectPublicKey algorithm OID as id-RSASSA-PSS.

Trying to use Cryptography library for the same, resulted in an error while trying to load the rsa-pss key from pem file.

Thanks