Help/Feature Request: X509 Certificate Builder PublicKey RSA-PSS OID support #10655
Comments
|
See the rsa_padding argument
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.sign
…On Wed, Mar 27, 2024, 9:18 AM VaderBV ***@***.***> wrote:
Hi,
I am trying to use the X.509 Certificate Builder to build a certificate
which has an RSA Subject Public Key.
I am able to get the certificate successfully. But, when I parse the DER
serialized certificate using ASN.1 Parser, the SubjectPublicKeyInfo field
of the certificate has an algorithm OID - rsaEncryption OID =
1.2.840.113549.1.1.1.
Is it possible for this Subject Public Key algorithm OID to be changed to
id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?
I am trying to use the certificate with a secure element, which requires
id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.
Thanks
—
Reply to this email directly, view it on GitHub
<#10655>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCIRKWIEZZFSJAGI53Y2LBJBAVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTANZYGUYTOOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Hi @alex , thanks for the reply! I am aware of the rsa_padding argument while signing using the root CA. However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key. When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm. I am trying to understand if it is possible for this subjectPublicKeyInfo - Algorithm OID to be id-RSASSA-PSS OID. |
|
Ahh, sorry I misunderstood. No, there's currently no way to do this
…On Wed, Mar 27, 2024, 9:44 AM VaderBV ***@***.***> wrote:
Hi @alex <https://github.com/alex> , thanks for the reply!
I am aware of the rsa_padding argument while signing using the root CA.
However, I am specifically looking for RSA-PSS OID for the *certificate
Subject Public Key*.
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key
When an RSAPublicKey is provided to this method, the serialized DER
certificate has the rsaEncryption OID as the Subject Public Key algorithm.
I am trying to understand if it is possible for this subjectPublicKeyInfo
- Algorithm OID to be id-RSASSA-PSS OID.
I have attached the ASN.1 parsed example of a certificate I generated
using openssl to showcase the above.
image.png (view on web)
<https://github.com/pyca/cryptography/assets/54500859/81025478-8860-4cf9-a2c5-cbf2ece95db0>
—
Reply to this email directly, view it on GitHub
<#10655 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBAZFVII2RGBASPZ7W3Y2LEK7AVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRSHAYDONZXHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi, As a follow-up question, is it possible to add support to generate rsa-pss keys ? Using openssl it is possible to generate rsa-pss keys, but I wasn't able to do it neither with cryptography nor with pyOpenSSL. However, I was able to load the rsa-pss key from a pem file using pyOpenSSL and was able to use it to generate a certificate with SubjectPublicKey algorithm OID as id-RSASSA-PSS. Trying to use Cryptography library for the same, resulted in an error while trying to load the rsa-pss key from pem file. Thanks |
Hi,
I am using the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.
I am able to build the certificate successfully.
But, when I parse the DER serialized certificate using ASN.1 Parser, I notice that the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.
Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?
I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.
Thanks
The text was updated successfully, but these errors were encountered: