Help/Feature Request: X509 Certificate Builder PublicKey RSA-PSS OID support

[VaderBV]

Hi,

I am using the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key.

I am able to build the certificate successfully.

But, when I parse the DER serialized certificate using ASN.1 Parser, I notice that the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1.

Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ?

I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme.

Thanks

[alex]

See the rsa_padding argument https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.sign

…

On Wed, Mar 27, 2024, 9:18 AM VaderBV ***@***.***> wrote: Hi, I am trying to use the X.509 Certificate Builder to build a certificate which has an RSA Subject Public Key. I am able to get the certificate successfully. But, when I parse the DER serialized certificate using ASN.1 Parser, the SubjectPublicKeyInfo field of the certificate has an algorithm OID - rsaEncryption OID = 1.2.840.113549.1.1.1. Is it possible for this Subject Public Key algorithm OID to be changed to id-RSASSA-PSS OID = 1.2.840.113549.1.1.10 ? I am trying to use the certificate with a secure element, which requires id-RSASSA-PSS OID if the key is being used for RSASSA-PSS Signature scheme. Thanks — Reply to this email directly, view it on GitHub <#10655>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBCIRKWIEZZFSJAGI53Y2LBJBAVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTANZYGUYTOOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[VaderBV]

Hi @alex , thanks for the reply!

I am aware of the rsa_padding argument while signing using the root CA.

However, I am specifically looking for RSA-PSS OID for the certificate Subject Public Key.
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key

When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm.

I am trying to understand if it is possible for this subjectPublicKeyInfo - Algorithm OID to be id-RSASSA-PSS OID.
I have attached the ASN.1 parsed example of a certificate to showcase the above.

[alex]

Ahh, sorry I misunderstood. No, there's currently no way to do this

…

On Wed, Mar 27, 2024, 9:44 AM VaderBV ***@***.***> wrote: Hi @alex <https://github.com/alex> , thanks for the reply! I am aware of the rsa_padding argument while signing using the root CA. However, I am specifically looking for RSA-PSS OID for the *certificate Subject Public Key*. https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder.public_key When an RSAPublicKey is provided to this method, the serialized DER certificate has the rsaEncryption OID as the Subject Public Key algorithm. I am trying to understand if it is possible for this subjectPublicKeyInfo - Algorithm OID to be id-RSASSA-PSS OID. I have attached the ASN.1 parsed example of a certificate I generated using openssl to showcase the above. image.png (view on web) <https://github.com/pyca/cryptography/assets/54500859/81025478-8860-4cf9-a2c5-cbf2ece95db0> — Reply to this email directly, view it on GitHub <#10655 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBAZFVII2RGBASPZ7W3Y2LEK7AVCNFSM6AAAAABFK3UHGGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRSHAYDONZXHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[VaderBV]

Hi,

As a follow-up question, is it possible to add support to generate rsa-pss keys ?

Using openssl it is possible to generate rsa-pss keys, but I wasn't able to do it neither with cryptography nor with pyOpenSSL.

However, I was able to load the rsa-pss key from a pem file using pyOpenSSL and was able to use it to generate a certificate with SubjectPublicKey algorithm OID as id-RSASSA-PSS.

Trying to use Cryptography library for the same, resulted in an error while trying to load the rsa-pss key from pem file.

Thanks

[OlegAndrianov]

I second that request.
It appears there is a getter cert.public_key_algorithm_oid, but there is no way to define this parameter, specifically to generate a PSS public key.
That is used, as TLS 1.3 requires it:
"/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
rsa_pss_pss_sha256(0x0809),
rsa_pss_pss_sha384(0x080a),
rsa_pss_pss_sha512(0x080b),"
And we are using cryptography to generate matching certificates.

[alex]

It's correct that there's no way to generate a certificate with a PSS key type, only RSA keys with a PSS signature. That said, I'm not sure which particular portion of the TLS 1.3 spec you're referring to, but it's certainly possible to have cryptography issue certs that are used in TLS 1.3 handshakes.

…

On Thu, Dec 19, 2024 at 6:57 PM Oleg Andrianov ***@***.***> wrote: I second that request. It appears there is a getter cert.public_key_algorithm_oid, but there is no way to define this parameter, specifically to generate a PSS public key. That is used, as TLS 1.3 requires it: "/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ rsa_pss_pss_sha256(0x0809), rsa_pss_pss_sha384(0x080a), rsa_pss_pss_sha512(0x080b)," And we are using cryptography to generate matching certificates. — Reply to this email directly, view it on GitHub <#10655 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBBGFM24HKGXTWTRATD2GNMNPAVCNFSM6AAAAABT6BLNY6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJVHE3TOMBXG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[OlegAndrianov]

I am quoting Signature Algorithms Section in TLS 1.3 RFC,
and it specifically says that :

RSASSA-PSS PSS algorithms:  Indicates a signature algorithm using
      RSASSA-PSS [[RFC8017](https://datatracker.ietf.org/doc/html/rfc8017)] with mask generation function 1.  The digest
      used in the mask generation function and the digest being signed
      are both the corresponding hash algorithm as defined in [[SHS](https://datatracker.ietf.org/doc/html/rfc8446#ref-SHS)].
      The length of the Salt MUST be equal to the length of the digest
      algorithm.  If the public key is carried in an X.509 certificate,
      it MUST use the RSASSA-PSS OID [[RFC5756](https://datatracker.ietf.org/doc/html/rfc5756)].
      When used in certificate signatures, the algorithm parameters MUST be DER
      encoded.  If the corresponding public key's parameters are
      present, then the parameters in the signature MUST be identical to
      those in the public key.

I agree that certificates created by default are accepted by TLS 1.3 as RSASSA-PSS algorithms with public key OID rsaEncryption (as on the screenshot)

but we also need to create an instance for "RSASSA-PSS algorithms with public key OID RSASSA-PSS", as defined in the TLS 1.3 Signature extensions list
That ties to RFC 4055, which says

" When the RSA private key owner wishes to limit the use of the public key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object identifier MUST be used in the algorithm field within the subject public key information, and, if present, the parameters field MUST contain RSASSA-PSS-params...