feat: add RSA-PSS (RSASSA-PSS) signature algorithm support#99
feat: add RSA-PSS (RSASSA-PSS) signature algorithm support#99leifj wants to merge 2 commits intomoov-io:masterfrom
Conversation
Implements RSA-PSS signature algorithm support for both signing and verification, as specified in RFC 6931 Section 2.3.10. This is commonly required in EU contexts. Signature algorithms added: - http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 (SHA256WithRSAPSS) - http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 (SHA384WithRSAPSS) - http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 (SHA512WithRSAPSS) Special handling is included for certificates with RSA-PSS public keys (OID 1.2.840.113549.1.1.10), which Go's x509 library cannot parse natively. The code manually extracts the RSA public key in these cases. This enables validation of German TSL (Trusted Service List) signatures which use RSA-PSS with certificates that have RSA-PSS encoded public keys.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the cryptographic capabilities by introducing comprehensive support for RSA-PSS (RSASSA-PSS) digital signatures. This addition addresses a critical need, particularly for compliance with European regulations and the validation of German Trust Service List (TSL) signatures, which frequently utilize RSA-PSS with specific certificate structures. The changes enable both the creation and verification of XML digital signatures using RSA-PSS, including custom handling for certificates that embed RSA-PSS public keys, which are not natively supported by Go's standard library. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
The pull request successfully adds support for RSA-PSS (RSASSA-PSS) signature algorithms for both signing and verification. The implementation correctly handles the complexities of certificates with RSA-PSS public keys, which Go's x509 library does not natively support, through custom ASN.1 parsing and manual verification. The changes are well-structured and integrate smoothly with the existing codebase.
Incorporates all review feedback from upstream PRs: - PR moov-io#98 (c14n-fixes): WriteToString error handling, redundant assignment removal - PR moov-io#99 (rsa-pss): getDigestAlgorithm helper, rsaPSSHashAlgorithms shared map - PR moov-io#100 (ecdsa-fix): hash messages before ECDSA sign/verify in tests, nolint:exhaustive - PR moov-io#101 (ed25519-xmlenc-cryptosigner): error handling in xmlenc parse functions, gosec nolint for safe integer conversions, NewSigner error check in tests, .gitleaks.toml for W3C test vectors Also updates golang.org/x/crypto to v0.49.0.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces comprehensive support for RSA-PSS (RSASSA-PSS) signature algorithms within the signedxml library. This includes registering the new algorithms, updating the Signer to use rsa.SignPSS for signing, and significantly enhancing the Validator to correctly verify RSA-PSS signatures. The validation logic now includes custom parsing for X.509 certificates that use RSA-PSS public keys, addressing a limitation in Go's standard x509 library. No specific feedback was provided in the review comments.
|
Thank you! Do you have an example test or to we could include to confirm this works? |
|
I've added one with f22487e These commits are merged, thanks! |
2 participants
Summary
Add RSA-PSS signature algorithm support for both signing and verification, as specified in RFC 6931 Section 2.3.10.
Motivation
RSA-PSS is commonly required in EU contexts, particularly for validating German Trust Service List (TSL) signatures which use RSA-PSS with certificates that have RSA-PSS encoded public keys (OID 1.2.840.113549.1.1.10).
Changes
Signature algorithms added:
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1(SHA256WithRSAPSS)http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1(SHA384WithRSAPSS)http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1(SHA512WithRSAPSS)Verification enhancements:
x509library cannot parse nativelyverifyRSAPSSSignature()for manual PSS verification whenCheckSignaturefails due to the RSA-PSS OIDSigning:
rsa.SignPSSwithPSSSaltLengthEqualsHashTesting
All existing tests continue to pass.