Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support all signature algorithms #60

Open
2 of 7 tasks
kpp opened this issue Jul 14, 2021 · 6 comments
Open
2 of 7 tasks

Support all signature algorithms #60

kpp opened this issue Jul 14, 2021 · 6 comments

Comments

@kpp
Copy link

kpp commented Jul 14, 2021

See https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.4.2.3 for a full list of signature algos.

So far missing:

@est31
Copy link
Member

est31 commented Jul 14, 2021

The non-RSA based algos are blocked by ring support, while RSA based algos haven't been much of a priority for me because ring has no key generation support. I'm open to adding them though.

@kpp
Copy link
Author

kpp commented Jul 15, 2021

I see. While there is no key generation support, we can at least load them from a file.

est31 added a commit that referenced this issue Aug 12, 2021
@est31
Copy link
Member

est31 commented Aug 17, 2021

I've tried adding RSA_PSS support in b2733e8 but didn't get it to work. So I made support non-pub for now. See also 46bf2ef . One could say it's blocked on briansmith/ring#1353 , but I'm not sure.

I might try to build a remote KeyPair that can ingest openssl keys. Based on that I could build support for the remaining signature algorithms.

@kpp
Copy link
Author

kpp commented Aug 17, 2021

I created a tool in go to generate certs signed with different algos: https://gist.github.com/kpp/c9c84411e17f4b27dddf0d438b289862#file-main-go with hardcoded var signatureScheme = tls.PSSWithSHA384. You can use that. I was never able to generate valid PSS certs with openssl.

@Alvenix
Copy link
Contributor

Alvenix commented Mar 13, 2024

* [ ]  PKCS_ECDSA_P521_SHA512 (depends on [NIST curve P-521 SHA-512 support for generating keys and signing briansmith/ring#824](https://github.com/briansmith/ring/issues/824))

Can't this be supported now, with the aws_lc_rs feature? If the support is still desired and currently possible, I could try to work on a PR to add the support.

@djc
Copy link
Member

djc commented Mar 13, 2024

@Alvenix yeah, that probably makes sense. Would be great if you can submit a PR for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants