tobiasbrunner
commented
4 years ago strongSwan can create PSS signature, but is unable to differentiate between rsaEncryption and rsassaPss encoding of public keys (all are treated the same and rsaEncryption is assumed). So only the RSA_PSS_RSAE schemes can/will be used for signing, but all can be verified.
in
tls_crypto.c's functionparams_for_schemethe order of the client sent signatures schemes is chosen. This results in RSA_PSS_PSS algorithms are preferred over RSA_PSS_RSAE algorithms. strongSwan currently is able verify these but not sign with PSS algorithms.The current implementation skips all PSS algorithms. To improve this behaviour it is desired to distinguish between verify and sign operations.