Skip to content

Commit c040537

Browse files
tgonzalezorlandoarmtgonzalezorlandoarm
committed
Add PKCS_RSA_PSS_SHA384 _SHA512 variants
A previous commit has added PKCS_RSA_PSS_SHA256 and made it publicly available. * Replicate the same behaviour for PKCS_RSA_PSS_SHA384 and PKCS_RSA_PSS_SHA512 Signed-off-by: Tomás González <[email protected]>
1 parent 95801d8 commit c040537

File tree

5 files changed

+70
-0
lines changed

5 files changed

+70
-0
lines changed

rcgen/src/key_pair.rs

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -252,6 +252,12 @@ impl KeyPair {
252252
} else if alg == &PKCS_RSA_PSS_SHA256 {
253253
let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?;
254254
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
255+
} else if alg == &PKCS_RSA_PSS_SHA384 {
256+
let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?;
257+
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA384)
258+
} else if alg == &PKCS_RSA_PSS_SHA512 {
259+
let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?;
260+
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA512)
255261
} else {
256262
#[cfg(feature = "aws_lc_rs")]
257263
if alg == &PKCS_ECDSA_P521_SHA512 {
@@ -367,6 +373,12 @@ impl KeyPair {
367373
} else if alg == &PKCS_RSA_PSS_SHA256 {
368374
let rsakp = rsa_key_pair_from(&serialized_der)._err()?;
369375
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
376+
} else if alg == &PKCS_RSA_PSS_SHA384 {
377+
let rsakp = rsa_key_pair_from(&serialized_der)._err()?;
378+
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA384)
379+
} else if alg == &PKCS_RSA_PSS_SHA512 {
380+
let rsakp = rsa_key_pair_from(&serialized_der)._err()?;
381+
KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA512)
370382
} else {
371383
panic!("Unknown SignatureAlgorithm specified!");
372384
};

rcgen/src/oid.rs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ pub(crate) const RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113549, 1, 1, 1];
3131
/// id-RSASSA-PSS in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6) with sha256WithRSAEncryption
3232
pub(crate) const RSASSA_PSS_SHA256: &[u64] = &[1, 2, 840, 113549, 1, 1, 11];
3333

34+
/// id-RSASSA-PSS in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6) with sha384WithRSAEncryption
35+
pub(crate) const RSASSA_PSS_SHA384: &[u64] = &[1, 2, 840, 113549, 1, 1, 12];
36+
37+
/// id-RSASSA-PSS in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6) with sha512WithRSAEncryption
38+
pub(crate) const RSASSA_PSS_SHA512: &[u64] = &[1, 2, 840, 113549, 1, 1, 13];
39+
3440
/// id-ce-keyUsage in [RFC 5280](https://tools.ietf.org/html/rfc5280#appendix-A.2)
3541
pub(crate) const KEY_USAGE: &[u64] = &[2, 5, 29, 15];
3642

rcgen/src/sign_algo.rs

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@ impl fmt::Debug for SignatureAlgorithm {
4949
write!(f, "PKCS_RSA_SHA512")
5050
} else if self == &PKCS_RSA_PSS_SHA256 {
5151
write!(f, "PKCS_RSA_PSS_SHA256")
52+
} else if self == &PKCS_RSA_PSS_SHA384 {
53+
write!(f, "PKCS_RSA_PSS_SHA384")
54+
} else if self == &PKCS_RSA_PSS_SHA512 {
55+
write!(f, "PKCS_RSA_PSS_SHA512")
5256
} else if self == &PKCS_ECDSA_P256_SHA256 {
5357
write!(f, "PKCS_ECDSA_P256_SHA256")
5458
} else if self == &PKCS_ECDSA_P384_SHA384 {
@@ -89,6 +93,8 @@ impl SignatureAlgorithm {
8993
&PKCS_RSA_SHA384,
9094
&PKCS_RSA_SHA512,
9195
&PKCS_RSA_PSS_SHA256,
96+
&PKCS_RSA_PSS_SHA384,
97+
&PKCS_RSA_PSS_SHA512,
9298
&PKCS_ECDSA_P256_SHA256,
9399
&PKCS_ECDSA_P384_SHA384,
94100
#[cfg(feature = "aws_lc_rs")]
@@ -166,6 +172,48 @@ pub(crate) mod algo {
166172
},
167173
};
168174

175+
/// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-384 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055)
176+
///
177+
/// Note: `*ring*` does not support this signature algorithm, and so it can not be used with the `crypto` feature
178+
/// of `rcgen` when verifying signatures using the `ring` backend.
179+
pub static PKCS_RSA_PSS_SHA384: SignatureAlgorithm = SignatureAlgorithm {
180+
// We could also use RSA_ENCRYPTION here, but it's recommended
181+
// to use ID-RSASSA-PSS if possible.
182+
oids_sign_alg: &[&RSASSA_PSS_SHA384],
183+
#[cfg(feature = "crypto")]
184+
sign_alg: SignAlgo::Rsa(&signature::RSA_PSS_SHA384),
185+
oid_components: RSASSA_PSS_SHA384, //&[1, 2, 840, 113549, 1, 1, 12],
186+
// rSASSA-PSS-SHA384-Params in RFC 4055
187+
params: SignatureAlgorithmParams::RsaPss {
188+
// id-sha384 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1
189+
hash_algorithm: &[2, 16, 840, 1, 101, 3, 4, 2, 2],
190+
// It's conventional to use a salt length equal to the size of the hash algorithm's digest
191+
// (48 bytes for the 384 bit digest produced by SHA384).
192+
salt_length: 48,
193+
},
194+
};
195+
196+
/// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-512 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055)
197+
///
198+
/// Note: `*ring*` does not support this signature algorithm, and so it can not be used with the `crypto` feature
199+
/// of `rcgen` when verifying signatures using the `ring` backend.
200+
pub static PKCS_RSA_PSS_SHA512: SignatureAlgorithm = SignatureAlgorithm {
201+
// We could also use RSA_ENCRYPTION here, but it's recommended
202+
// to use ID-RSASSA-PSS if possible.
203+
oids_sign_alg: &[&RSASSA_PSS_SHA512],
204+
#[cfg(feature = "crypto")]
205+
sign_alg: SignAlgo::Rsa(&signature::RSA_PSS_SHA512),
206+
oid_components: RSASSA_PSS_SHA512, //&[1, 2, 840, 113549, 1, 1, 13],
207+
// rSASSA-PSS-SHA512-Params in RFC 4055
208+
params: SignatureAlgorithmParams::RsaPss {
209+
// id-sha512 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1
210+
hash_algorithm: &[2, 16, 840, 1, 101, 3, 4, 2, 3],
211+
// It's conventional to use a salt length equal to the size of the hash algorithm's digest
212+
// (64 bytes for the 512 bit digest produced by SHA512).
213+
salt_length: 64,
214+
},
215+
};
216+
169217
/// ECDSA signing using the P-256 curves and SHA-256 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2)
170218
pub static PKCS_ECDSA_P256_SHA256: SignatureAlgorithm = SignatureAlgorithm {
171219
oids_sign_alg: &[&EC_PUBLIC_KEY, &EC_SECP_256_R1],

rcgen/tests/openssl.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,8 @@ fn test_openssl_rsa_combinations_given() {
289289
&rcgen::PKCS_RSA_SHA384,
290290
&rcgen::PKCS_RSA_SHA512,
291291
//&rcgen::PKCS_RSA_PSS_SHA256,
292+
//&rcgen::PKCS_RSA_PSS_SHA384,
293+
//&rcgen::PKCS_RSA_PSS_SHA512,
292294
];
293295
for (i, alg) in alg_list.iter().enumerate() {
294296
let (params, _) = util::default_params();

rcgen/tests/webpki.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,8 @@ fn test_webpki_rsa_combinations_given() {
245245
&signature::RSA_PKCS1_SHA512,
246246
),
247247
//(&rcgen::PKCS_RSA_PSS_SHA256, &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, &signature::RSA_PSS_SHA256),
248+
//(&rcgen::PKCS_RSA_PSS_SHA384, &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, &signature::RSA_PSS_SHA384),
249+
//(&rcgen::PKCS_RSA_PSS_SHA384, &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, &signature::RSA_PSS_SHA512),
248250
];
249251
for c in configs {
250252
let (params, _) = util::default_params();

0 commit comments

Comments
 (0)