Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 3367806cd464fac96abd1b8416700ad174e8b64d^! / .
commit3367806cd464fac96abd1b8416700ad174e8b64d[log] [tgz]
authorMarti Raudsepp <marti@juffo.org>Sat Jun 30 02:27:28 2018 +0300
committerPaul Kehrer <paul.l.kehrer@gmail.com>Fri Jun 29 16:27:28 2018 -0700
tree914a214ce9072c46db1f911926a8785fc60530ff
parent682014558f3521a942cdce3932837659ce24df34 [diff]
Add OID for RSASSA-PSS X.509 signature algorithm (RFC 4055) (#4294)

In 2005, IETF devised a more secure padding scheme to replace PKCS #1
v1.5. To make sure that nobody can easily support or use it, they
mandated lots of complicated parameters in the certificate, unlike any
other X.509 signature scheme.

https://tools.ietf.org/html/rfc4055

`_SIG_OIDS_TO_HASH` and `Certificate.signature_hash_algorithm` cannot be
supported as-is, because the hash algorithm is defined in the signature
algorithm parameters, not by the OID itself.
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 7a41e1f..3fc6507 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst

@@ -2569,6 +2569,15 @@
         Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
         a SHA512 digest signed by an RSA key.
 
+    .. attribute:: RSASSA_PSS
+
+        .. versionadded:: 2.3
+
+        Corresponds to the dotted string ``"1.2.840.113549.1.1.10"``. This is
+        signed by an RSA key using the Probabilistic Signature Scheme (PSS)
+        padding from RFC 4055. The hash function and padding are defined by
+        signature algorithm parameters.
+
     .. attribute:: ECDSA_WITH_SHA1
 
         Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1

diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index 224c9af..d2f9b04 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py

@@ -74,6 +74,7 @@
 OID_RSA_WITH_SHA256 = SignatureAlgorithmOID.RSA_WITH_SHA256
 OID_RSA_WITH_SHA384 = SignatureAlgorithmOID.RSA_WITH_SHA384
 OID_RSA_WITH_SHA512 = SignatureAlgorithmOID.RSA_WITH_SHA512
+OID_RSASSA_PSS = SignatureAlgorithmOID.RSASSA_PSS
 
 OID_COMMON_NAME = NameOID.COMMON_NAME
 OID_COUNTRY_NAME = NameOID.COUNTRY_NAME

diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py
index 8b92d6b..90003d7 100644
--- a/src/cryptography/x509/oid.py
+++ b/src/cryptography/x509/oid.py

@@ -137,6 +137,7 @@
     RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
     RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
     RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
+    RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
     ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
     ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
     ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
@@ -221,6 +222,7 @@
     SignatureAlgorithmOID.RSA_WITH_SHA256: "sha256WithRSAEncryption",
     SignatureAlgorithmOID.RSA_WITH_SHA384: "sha384WithRSAEncryption",
     SignatureAlgorithmOID.RSA_WITH_SHA512: "sha512WithRSAEncryption",
+    SignatureAlgorithmOID.RSASSA_PSS: "RSASSA-PSS",
     SignatureAlgorithmOID.ECDSA_WITH_SHA1: "ecdsa-with-SHA1",
     SignatureAlgorithmOID.ECDSA_WITH_SHA224: "ecdsa-with-SHA224",
     SignatureAlgorithmOID.ECDSA_WITH_SHA256: "ecdsa-with-SHA256",