RSASSA-PSS support

[LuNoX]

Currently, certvalidator only supports RSASSA-PKCS1 v1.5. As described in RFC 3447, RSASSA-PSS (PKCS1 v2.1) is recommended over v.1.5. Many recently issued certificates use it already.

This commit adds support for RSASSA-PSS signature validation.

[wbond]

Thanks for taking the time to submit this enhancement!

We'll definitely want some tests to go with this. I'm not sure if the NIST test suite has any as of 2020. You can find a link to that at https://github.com/wbond/certvalidator/blob/master/docs/readme.md.

An alternative place to look for testing certs and chains would be the OpenSSL suite.

[LuNoX]

Thanks for the quick response!

It seems all the Certs in the NIST suite use RSASSA-PKCS1 v1.5 rather than RSASSA-PSS. None of the OpenSSL OSCP-test use it either. This OpenSSL cert features a pss signature. However, it does not pass the path validation because of CA:FALSE (it wasn't meant for path validation anyway).

I tested the feature locally with our company's public cert chain for a project of mine. It worked, but I assume that won't suffice. Since I could not find a publicly available cert chain featuring PSS, I suppose the best way to go forward would be for you to generate one?

[wbond]

I’d be fine with any valid chain that you’d be alright including in the test fixtures. I would obviously expect it to pass OpenSSL validation.

[LuNoX]

If it doesn't, then we're getting scammed, haha. Our cert is expiring next month and we will be issued a new one with PSS. If I get the ok from the higher ups, we can use that one. Until then, I'll leave the PR open and just use my fork for a while.

[LuNoX]

Hey, I know it's been a while but I just thought about this PR and I went looking for a suitable certificate. Neither OpenSSL nor the NIST suite provides one. However, since PSS is standard in many industries in Europe now, it didn't take long to find one on globaltrustpoint that uses it. This is RWE's (major energy corporation) current public cert for market communication. edifact_lieferant_strom_rwest@westnetz.de_0x79D286D4.cer.txt Had to rename it to .txt so the upload would work. Would you want me to update the PR using this cert in the suite?

[LuNoX]

I added a test for it. Feel free to run it and merge the PR.

[LuNoX]

@wbond Would you mind merging this PR after taking a look at it? I think it would make a lot of Germans doing Edifact@Energy things happy ^^