phpseclib: phpseclib3: RSASSA-PSS crl fails validation
Hi.
CRLs created with phpseclib3 and signed (RSASSA-PSS) by a RSA-type CA key fails validation with
PHP Fatal error: Uncaught phpseclib3\Exception\UnsupportedAlgorithmException: Signature algorithm unsupported in /usr/local/share/phpseclib/File/X509.php:1455
trace: phpseclib3\File\X509->validateSignatureHelper('rsaEncryption', '-----BEGIN PUBL...', 'id-RSASSA-PSS', '\xA7\xB5[\x84=k\xC2\xD6\x14\x0F(\xA1\xD4r\xE4...', '0\x81\x970\v\x06\t*\x86H\x86\xF7\r\x01\x01...')
maybe it makes sense to slightly change the validateSignatureCountable() like
https://github.com/kulikov-a/phpseclib/commit/bf4487c504ea5ea2c36ec7cd0e01fed05b41a6fd
and separate the steps of key loading and signature parameters loading?
Thanks!!
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 24 (13 by maintainers)
Commits related to this issue
- System: Trust: Revocation - phpseclib3 UnsupportedAlgorithmException() issue. According to the notes in https://phpseclib.com/docs/x509 the signCRL() method previously set the signatureAlgorithm by d... — committed to opnsense/core by AdSchellevis 2 years ago
- X509: make it so CRLs, CSRs and SPKACs can support PSS keys — committed to phpseclib/phpseclib by terrafrost 2 years ago
- X509: make it so PKCS1 X509 certs can create PSS sigs — committed to phpseclib/phpseclib by terrafrost 2 years ago
I’ve made it so that X509 certs with PKCS1 public keys can validate PSS signatures:
https://github.com/phpseclib/phpseclib/commit/f0a146eaa1ecc5e152a893e9ff2389a2b9024a25
Apologies for the delay! I got back from my vacay this past weekend and have since been trying to play catchup at work. I’ll try to look at this this evening - thanks!