Expose PKCS_RSA_PSS_SHA256 for CSR generation

Make PKCS_RSA_PSS_SHA256 a publicly accessible algorithm so that CSRs can be created for RSA PSS. Signed-off-by: Tomás González <[email protected]>
rustls · May 8, 2024 · cf26b59 · cf26b59
1 parent ff6fcc5
commit cf26b59
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
@@ -88,7 +88,7 @@ impl SignatureAlgorithm {
 			&PKCS_RSA_SHA256,
 			&PKCS_RSA_SHA384,
 			&PKCS_RSA_SHA512,
-			//&PKCS_RSA_PSS_SHA256,
+			&PKCS_RSA_PSS_SHA256,
 			&PKCS_ECDSA_P256_SHA256,
 			&PKCS_ECDSA_P384_SHA384,
 			#[cfg(feature = "aws_lc_rs")]
@@ -145,19 +145,17 @@ pub(crate) mod algo {
 		params: SignatureAlgorithmParams::Null,
 	};
 
-	// TODO: not really sure whether the certs we generate actually work.
-	// Both openssl and webpki reject them. It *might* be possible that openssl
-	// accepts the certificate if the key is a proper RSA-PSS key, but ring doesn't
-	// support those: https://github.com/briansmith/ring/issues/1353
+	// openssl accepts the certificate if the key is a proper RSA-PSS key, but
+	// ring doesn't support those: https://github.com/briansmith/ring/issues/1353
 	//
 	/// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055)
-	pub(crate) static PKCS_RSA_PSS_SHA256: SignatureAlgorithm = SignatureAlgorithm {
+	pub static PKCS_RSA_PSS_SHA256: SignatureAlgorithm = SignatureAlgorithm {
 		// We could also use RSA_ENCRYPTION here, but it's recommended
 		// to use ID-RSASSA-PSS if possible.
 		oids_sign_alg: &[&RSASSA_PSS],
 		#[cfg(feature = "crypto")]
 		sign_alg: SignAlgo::Rsa(&signature::RSA_PSS_SHA256),
-		oid_components: RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 13],
+		oid_components: RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 10],
 		// rSASSA-PSS-SHA256-Params in RFC 4055
 		params: SignatureAlgorithmParams::RsaPss {
 			// id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1