On Thu, Oct 28, 2010, Bram Cymet wrote: > Hi, > > I would like to add rsa-pss support to my application and I have a few > questions: > > RSA-PSS support exists in the current stable code base correct? >
OpenSSL 0.9.8 has padding support and a rather crude EVP support: primarily so PSS could be tested in FIPS mode. OpenSSL 1.0.0 has integrated support in a much cleaner API. The unreleased HEAD includes support for PSS signatures in certificates. > Is there anyway to use it from the command line? > Yes the dgst utility supports PSS mode: you use the -sign and -sigopt options. There is undocmented support in 0.9.8 too. > As far as I can tell to use RSA-PSS I compute a hash as I normally would > and then call RSA_padding_add_PKCS1_PSS with the hash that I computed is > that correct? > You can do that but it isn't recommended. The approved was is through the new EVP_DigestSign* functions in OpenSSL 1.0.0. After the init call you change the padding mode (and salt length if you wish) using the returned pctx. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
