Open VaderBV opened 5 months ago
See the rsa_padding argument https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.sign
On Wed, Mar 27, 2024, 9:18 AM VaderBV @.***> wrote:
Hi,
I am trying to use the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.
I am able to get the certificate successfully. But, when I parse the DER serialized certificate using ASN.1 Parser, the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.
Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?
I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.
Thanks
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10655, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBCIRKWIEZZFSJAGI53Y2LBJBAVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTANZYGUYTOOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hi @alex , thanks for the reply!
I am aware of the rsa_padding argument while signing using the root CA.
However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key. https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key
When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm.
I am trying to understand if it is possible for this subjectPublicKeyInfo - Algorithm OID to be id-RSASSA-PSS OID. I have attached the ASN.1 parsed example of a certificate to showcase the above.
Ahh, sorry I misunderstood. No, there's currently no way to do this
On Wed, Mar 27, 2024, 9:44 AM VaderBV @.***> wrote:
Hi @alex https://github.com/alex , thanks for the reply!
I am aware of the rsa_padding argument while signing using the root CA.
However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key.
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key
When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm.
I am trying to understand if it is possible for this subjectPublicKeyInfo
- Algorithm OID to be id-RSASSA-PSS OID. I have attached the ASN.1 parsed example of a certificate I generated using openssl to showcase the above. image.png (view on web) https://github.com/pyca/cryptography/assets/54500859/81025478-8860-4cf9-a2c5-cbf2ece95db0
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10655#issuecomment-2022807778, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBAZFVII2RGBASPZ7W3Y2LEK7AVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRSHAYDONZXHA . You are receiving this because you were mentioned.Message ID: @.***>
Hi,
As a follow-up question, is it possible to add support to generate rsa-pss keys ?
Using openssl it is possible to generate rsa-pss keys, but I wasn't able to do it neither with cryptography nor with pyOpenSSL.
However, I was able to load the rsa-pss key from a pem file using pyOpenSSL and was able to use it to generate a certificate with SubjectPublicKey algorithm OID as id-RSASSA-PSS.
Trying to use Cryptography library for the same, resulted in an error while trying to load the rsa-pss key from pem file.
Thanks
Hi,
I am using the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.
I am able to build the certificate successfully.
But, when I parse the DER serialized certificate using ASN.1 Parser, I notice that the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.
Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?
I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.
Thanks