Skip to content

Add TLS RSA-PSS certificate support#4368

Closed
snhenson wants to merge 5 commits intoopenssl:masterfrom
snhenson:tls_pss
Closed

Add TLS RSA-PSS certificate support#4368
snhenson wants to merge 5 commits intoopenssl:masterfrom
snhenson:tls_pss

Conversation

@snhenson
Copy link
Copy Markdown
Contributor

@snhenson snhenson commented Sep 14, 2017

Checklist
  • tests are added or updated

This PR adds support for RSA-PSS certificate to TLS 1.3 and 1.2 as required by the current TLS 1.3 draft.

@snhenson
Add RSA-PSS key certificate type.
e6accfc 
Recognise RSA-PSS certificate algorithm and add a new certificate
type.
@snhenson snhenson mentioned this pull request Sep 14, 2017
Closed
richsalz
richsalz approved these changes Sep 14, 2017
View reviewed changes
Copy link
Copy Markdown
Contributor

@richsalz richsalz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit. which only proves I read the diff :) you might want to have matt look at this PR. Or not.

ssl/t1_lib.c Outdated
Copy link
Copy Markdown
Contributor

@richsalz richsalz Sep 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blank line; flip this with the blank line that follows

@snhenson
Allow RSA certificates to be used for RSA-PSS
5fa47be 
Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.
kaduk
kaduk approved these changes Sep 14, 2017
View reviewed changes
ssl/ssl_lib.c Outdated
Copy link
Copy Markdown
Contributor

@kaduk kaduk Sep 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting the (preexisting) mismatch in this function as to whether braces are used for one-line conditional bodies.

ssl/ssl_lib.c Outdated
Copy link
Copy Markdown
Contributor

@kaduk kaduk Sep 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be more clear to make this a standalone 'if' clause instead of 'else if' (and outdent the comment to match, moving it outside the braces) -- there shouldn't be any functional change from doing so.

@kroeckx
Copy link
Copy Markdown
Member

kroeckx commented Sep 15, 2017

Can you also add tests that fail?

tmshort
tmshort reviewed Sep 15, 2017
View reviewed changes
ssl/ssl_locl.h Outdated
Copy link
Copy Markdown
Contributor

@tmshort tmshort Sep 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a fan of changing all these, but it's an internal data structure, so it shouldn't matter. (No change requested.)

@snhenson
Copy link
Copy Markdown
Contributor Author

snhenson commented Sep 17, 2017

OK added a couple of failing tests: PSS with no PSS signature algorithms and attempt to use PSS with TLS 1.1.

@snhenson
Copy link
Copy Markdown
Contributor Author

snhenson commented Sep 19, 2017

Ping, any more comments? The two original reviews are for a previous version of this PR.

@kaduk
Copy link
Copy Markdown
Contributor

kaduk commented Sep 19, 2017

No further comment from me; reconfirm +1

levitte pushed a commit that referenced this pull request Sep 20, 2017
@snhenson
Add RSA-PSS key certificate type.
045d078 
Recognise RSA-PSS certificate algorithm and add a new certificate
type.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from #4368)
levitte pushed a commit that referenced this pull request Sep 20, 2017
@snhenson
Allow RSA certificates to be used for RSA-PSS
b46867d 
Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from #4368)
levitte pushed a commit that referenced this pull request Sep 20, 2017
@snhenson
Allow use of RSA-PSS certificates in TLS 1.2
6aaa29f 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from #4368)
levitte pushed a commit that referenced this pull request Sep 20, 2017
@snhenson
Add RSA-PSS test certificates
613816f 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from #4368)
levitte pushed a commit that referenced this pull request Sep 20, 2017
@snhenson
Add RSA-PSS certificate type TLS tests
800c488 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from #4368)
@snhenson
Copy link
Copy Markdown
Contributor Author

snhenson commented Sep 20, 2017

Thanks everyone, pushed.

@snhenson snhenson closed this Sep 20, 2017
@adrianosela adrianosela mentioned this pull request Jan 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmshort tmshort tmshort left review comments

+2 more reviewers

@kaduk kaduk kaduk approved these changes

@richsalz richsalz richsalz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@snhenson @kroeckx @kaduk @richsalz @tmshort