[Botan-devel] certificate default signing algorithm

Jack Lloyd lloyd at randombit.net
Thu Jul 1 07:52:47 EDT 2010

On Thu, Jul 01, 2010 at 10:48:28AM +0530, Sudhanshu Shukla wrote:
> Hi,
> I want to change the default rsa signature algorithm for certificates to
> RSASSA-PSS scheme. I have figured out that some things need to changed in
> choose_sig_format() function in X509_ca.cpp source file. I am not sure about
> what to change the padding scheme of the rsa algo in this function.
> Any help would be greatly appreciated.

The layout for PSS in certs is rather funky, unfortunately, which is a
big reason it hasn't been supported before now.

Perusing RFC 4055 (http://tools.ietf.org/rfc/rfc4055.txt), it looks
like the following things would need to be changed to get this to

Obviously choosing to use PSS for RSA (padding = "EMSA4";)

PKIX's PSS format uses the same OID for all hash functions. Perhaps
the simplest approach is actually just to define the same OID with
different names (in policy.cpp). (Also you'd need to add all of the
MGF1 identifiers to the same file.)

The signature paramters needs to be a structure that actually tells
you what the hell is going on since the OID is useless for doing
that. Section 3.1 of the RFC has the definition. So this line:

   sig_algo.parameters = key.algorithm_identifier().parameters;

would have to become

     sig_algo.parameters = form_pss_params(hash_fn, maybe_other_params);

Finally, to actually verify these certs, you'd need to modify
X509_Store::check_sig to detect a PSS signature and in that case break
apart the parameters to figure out what the hash algorithm was since
the OID won't tell you.

Or, if you don't care about backwards compatability with a RFC that
probably nobody implements, you could do this much easier by simply
defining a new set of OIDS for RSA with PSS/SHA-1, RSA with
PSS/SHA-256, etc, at which point it's a one line change to
choose_sig_format to use PSS instead of PKCS #1.5 :)


More information about the botan-devel mailing list