Introduction

Every now and then, I read about RSA keypairs whose usage is limited to RSASSA-PSS. I am still struggling to understand where this is specified and how to create such a keypair. This page is to summarize my current understanding, hoping that others can shed more light on this.

IAIK toolkit

The JAVA-based IAIK cryptography toolkit claims to support these keys. IAIK is available free of charge for non-commercial use.

The toolkit contains the classes RSAPssPrivateKey and RSAPssPublicKey. Their documentation says these classes implement RSA keys according to RFC4055.

I used the following code to generate a sample keypair.

import iaik.asn1.structures.AlgorithmID;
import iaik.pkcs.pkcs1.MGF1ParameterSpec;
import iaik.pkcs.pkcs1.MaskGenerationAlgorithm;
import iaik.pkcs.pkcs1.RSAPssParameterSpec;
import iaik.security.rsa.RSAPssKeyPairGenerator;
import iaik.security.rsa.RSAPssPrivateKey;
import iaik.security.rsa.RSAPssPublicKey;
import iaik.security.rsa.RSAPssSignature;

import java.security.AlgorithmParameters;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.Signature;
import java.security.SignatureException;

import java.io.*;

public class pssGenKey {

  public static void main(String arg[]) {

     try {
        KeyPairGenerator keyGen =
           KeyPairGenerator.getInstance("RSASSA-PSS", "IAIK");

        keyGen.initialize(2048);

        KeyPair keyPair = keyGen.generateKeyPair();

        RSAPssPrivateKey privateKey = (RSAPssPrivateKey)keyPair.getPrivate();
        RSAPssPublicKey publicKey = (RSAPssPublicKey)keyPair.getPublic();

        FileOutputStream o = new FileOutputStream("privKey.der");
        privateKey.writeTo(o);
        o.close();
        FileOutputStream m = new FileOutputStream("pubKey.der");
        publicKey.writeTo(m);
        m.close();
     } catch (Exception ex) {
        System.err.println("Error: " + ex.getMessage());
     }

     System.exit(0);
  }
}

Sample keypair

The resulting RSA private key is in PKCS #8 format. The OCTET STRING contains an RSAPrivateKey sequence as defined in PKCS #1.

(The output of dumpasn1 is abbreviated)

martin@askja:~/projects/iaik/sampleKey$ dumpasn1 -h privKey.der
   SEQUENCE {
     INTEGER 0
     SEQUENCE {
       OBJECT IDENTIFIER rsaPSS (1 2 840 113549 1 1 10)
       NULL
       }
     OCTET STRING, encapsulates {
       SEQUENCE {
         INTEGER 0
         INTEGER
           00 BE 08 F4 13 5F 4C DC C4 9C 7C FA E1 96 FD 51 [...]
         INTEGER 65537
         INTEGER
           00 87 8F 1F 7D 4A 38 2C 2B DC 6D 93 11 A5 81 A2
         INTEGER
           00 FA BB 10 57 4B C2 6C F9 C2 33 A3 1D 49 80 C4 [...]
         INTEGER
           00 C2 07 58 65 8F 06 A4 40 FD F3 70 60 5D 2D 42 [...]
         INTEGER
           43 07 1F 27 37 29 92 D8 72 02 3B E8 E8 6D 74 1C [...]
         INTEGER
           00 93 65 75 17 A1 B1 8F F1 F7 79 89 B3 0A D5 A9 [...]
         INTEGER
           1C 71 78 F4 26 55 88 92 11 AD A8 D9 0B 86 E6 9F [...]
         }
       }
     }

0 warnings, 0 errors.

The public key has the same format. The BIT STING contains an RSAPublicKey sequence defined in section 6 of RFC4055.

martin@askja:~/projects/iaik/sampleKey$ dumpasn1 -h pubKey.der
   SEQUENCE {
     SEQUENCE {
       OBJECT IDENTIFIER rsaPSS (1 2 840 113549 1 1 10)
       NULL
       }
     BIT STRING, encapsulates {
       SEQUENCE {
         INTEGER
           00 BE 08 F4 13 5F 4C DC C4 9C 7C FA E1 96 FD 51 [...]
         INTEGER 65537
         }
       }
     }

0 warnings, 0 errors.

These structures are fairly easy to understand.

But…

Reading through RFC4055, I canot see where it says that this is the way to define RSA keys to be used for PSS only. The only related section in RFC4055 is section 1.2, page 2

When the RSA private key owner wishes to limit the use of the public
key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object
identifier MUST be used in the algorithm field within the subject
public key information, and, if present, the parameters field MUST
contain RSASSA-PSS-params. [...]

This is referring to X.509 certificates defined in RFC 3280…

Questions, comments

Please send any questions or comments to www(at)kaiser(dot)cx

back to homepage