'Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
From:       Hubert Kario <hkario () redhat ! com>
Date:       2018-06-20 17:20:41
Message-ID: 3191979.IQF0b6dFqg () pintsize ! usersys ! redhat ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

On Wednesday, 20 June 2018 07:51:11 CEST John Jiang wrote:
> 2018-06-19 23:11 GMT+08:00 Jakob Bohm <jb-openssl@wisemo.com>:
> > On 19/06/2018 15:40, John Jiang wrote:
> >> Using OpenSSL 1.1.1-pre7
> >> 
> >> Please consider the following cases and handshaking results:
> >> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
> >> suite
> >> Handshaking failed with no suitable cipher
> >> 
> >> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >> cipher suite
> >> Handshaking succeeded.
> >> 
> >> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
> >> suite
> >> Handshaking succeeded.
> >> 
> >> 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >> cipher suite
> >> Handshaking succeeded.
> >> 
> >> Why did case 1 fail?
> > 
> > The TLS_RSA_ cipher suites require that the premaster secret
> > is encrypted with the RSA key in the servers certificate.
> > But an rsa_pss_pss_256 certificate (have not seen that notation
> > before) is probably a signing-only certificate, that says not
> > to encrypt anything with its RSA key.
> 
> Why does rsa_pss_rsae_256 + TLS_RSA_* work?
> It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature
> scheme.

because certificate that is usable for rsa_pss_rsae_sha256 signatures has a 
rsaEncryption Subject Public Key Info, that means it is generally usable both 
for encrypting the premaster key (TLS_RSA_* ciphers) and making signatures of 
its own (TLS_ECDHE_RSA_* ciphers), unless the KeyUsage X509v3 extension 
doesn't say otherwise...

certificate that has a rsassa-pss Subject Public Key Info key is usable *only* 
for making rsassa-pss signatures (or rsa_pss_pss_* signatures)
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
["signature.asc" (application/pgp-signature)]

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[prev in list] [next in list] [prev in thread] [next in thread] 