update lingT_signature_algorithm_not_supported - support rsa-pss #913
Conversation
There was a problem hiding this comment.
Thank you for the patch! I double checked the citations and I believe this is correct. Now we need to get CICD passing.
- We need to edit the unit test at lint_signature_algorithm_not_supported_test.go#L44 to be from
expected := lint.Warntoexpected := lint.Pass. - The linter wants us to run (from the repository root)
gofmt -w v3/lints/cabf_br/lint_signature_algorithm_not_supported.go
| warnSigAlgs = map[x509.SignatureAlgorithm]bool{ | ||
| // The BRs v2.1.2 allow the use of RSA-PSS as a signature scheme, see | ||
| // 7.1.3.2.1 RSA | ||
| // The Mozilla root program policy v2.9 allow RSA-PSS as a signature |
There was a problem hiding this comment.
Just double checking these references.
From Mozilla 5.1.1.
When a root or intermediate certificate's RSA key is used to produce a signature, only the following algorithms MAY be used, and with the following encoding requirements:
...
RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes.
The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes:304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120
From CABF/Br 7.1.3.2.1
The CA SHALL use one of the following signature algorithms and encodings. When encoded, the
AlgorithmIdentifier MUST be byte‐for‐byte identical with the specified hex‐encoded bytes....
RSASSA‐PSS with SHA‐256, MGF‐1 with SHA‐256, and a salt length of 32 bytes:
Encoding:304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120
see #912