common: add more RSA-PSS algorithm id definitions #9412
Conversation
Breakout from pyca#9405. Signed-off-by: William Woodruff <[email protected]>
| // RSA-PSS ASN.1 mask gen algorithms defined under the CA/B Forum BRs. | ||
| pub const PSS_SHA256_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { | ||
| oid: oid::MGF1_OID, | ||
| params: PSS_SHA256_HASH_ALG, | ||
| }; | ||
|
|
||
| pub const PSS_SHA384_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { | ||
| oid: oid::MGF1_OID, | ||
| params: PSS_SHA384_HASH_ALG, | ||
| }; | ||
|
|
||
| pub const PSS_SHA512_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { | ||
| oid: oid::MGF1_OID, | ||
| params: PSS_SHA512_HASH_ALG, | ||
| }; |
There was a problem hiding this comment.
NB: No coverage needed since these are just data, but for maximum correctness I could also test these against the exact expected DER encodings supplied by the CABF rules.
| @@ -234,6 +234,22 @@ pub const PSS_SHA1_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { | |||
| params: AlgorithmParameters::Sha1(Some(())), | |||
| }; | |||
|
|
|||
| // RSA-PSS ASN.1 hash algorithm definitions specified under the CA/B Forum BRs. | |||
There was a problem hiding this comment.
Is this comment really correct? It's not really defined by CABF, these come from the RFCs, right?
There was a problem hiding this comment.
I think that's right, although CABF doesn't make reference to the RFCs for their definitions of these. Want me to dig them up regardless?
There was a problem hiding this comment.
https://www.rfc-editor.org/rfc/rfc8017 looks like the right RFC, although it doesn't explicitly parametrize these the way CABF does.
There was a problem hiding this comment.
Hmm, really? I just assumed that these were all natural consequences of how it worked, and didn't need to be explicitly specified (same as SHA1)
There was a problem hiding this comment.
Yeah, CABF specifies the precise set that can be used (and provides their exact DER encodings as well) -- both are on page 97 of the PDF I linked in the top.
This adds hash and mask generation algorithm ID definitions for the three RSA-PSS configurations allowed under the CABF BRs, mirroring the existing definitions for RSA-PSS with SHA-1.
Breakout from #9405.
See
7.1.3.2.1 RSAin the CABF BRs for this: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf (page 97).