Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSASSA-PSS support #30

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

RSASSA-PSS support #30

wants to merge 4 commits into from

Conversation

LuNoX
Copy link

@LuNoX LuNoX commented Nov 13, 2020
edited
Loading

Currently, certvalidator only supports RSASSA-PKCS1 v1.5. As described in RFC 3447, RSASSA-PSS (PKCS1 v2.1) is recommended over v.1.5. Many recently issued certificates use it already.

This commit adds support for RSASSA-PSS signature validation.

@LuNoX
Update validate.py
554b494 
Added support for RSASSA-PSS signature validation
@wbond
Copy link
Owner

wbond commented Nov 13, 2020

Thanks for taking the time to submit this enhancement!

We'll definitely want some tests to go with this. I'm not sure if the NIST test suite has any as of 2020. You can find a link to that at https://github.com/wbond/certvalidator/blob/master/docs/readme.md.

An alternative place to look for testing certs and chains would be the OpenSSL suite.

@LuNoX
Copy link
Author

LuNoX commented Nov 13, 2020

Thanks for the quick response!

It seems all the Certs in the NIST suite use RSASSA-PKCS1 v1.5 rather than RSASSA-PSS. None of the OpenSSL OSCP-test use it either. This OpenSSL cert features a pss signature. However, it does not pass the path validation because of CA:FALSE (it wasn't meant for path validation anyway).

I tested the feature locally with our company's public cert chain for a project of mine. It worked, but I assume that won't suffice. Since I could not find a publicly available cert chain featuring PSS, I suppose the best way to go forward would be for you to generate one?

@wbond
Copy link
Owner

wbond commented Nov 13, 2020

I’d be fine with any valid chain that you’d be alright including in the test fixtures. I would obviously expect it to pass OpenSSL validation.

@LuNoX
Copy link
Author

LuNoX commented Nov 13, 2020

If it doesn't, then we're getting scammed, haha. Our cert is expiring next month and we will be issued a new one with PSS. If I get the ok from the higher ups, we can use that one. Until then, I'll leave the PR open and just use my fork for a while.

@LuNoX
Copy link
Author

LuNoX commented Nov 28, 2022

Hey, I know it's been a while but I just thought about this PR and I went looking for a suitable certificate. Neither OpenSSL nor the NIST suite provides one. However, since PSS is standard in many industries in Europe now, it didn't take long to find one on globaltrustpoint that uses it. This is RWE's (major energy corporation) current public cert for market communication.
[email protected]_0x79D286D4.cer.txt Had to rename it to .txt so the upload would work.
Would you want me to update the PR using this cert in the suite?

@LuNoX
Copy link
Author

LuNoX commented Nov 29, 2022

I added a test for it. Feel free to run it and merge the PR.

@LuNoX
Copy link
Author

LuNoX commented Jul 20, 2023

@wbond Would you mind merging this PR after taking a look at it? I think it would make a lot of Germans doing Edifact@Energy things happy ^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LuNoX @wbond