Add rsa_padding parameter to CertificateBuilder.public_key()#15000
Open
reaperhulk wants to merge 8 commits into
Open
Add rsa_padding parameter to CertificateBuilder.public_key()#15000reaperhulk wants to merge 8 commits into
reaperhulk wants to merge 8 commits into
Conversation
… SPKI Passing the uninstantiated PSS class encodes an RSA subject public key with the id-RSASSA-PSS OID (parameters absent, the unrestricted form from RFC 4055) in the certificate's subjectPublicKeyInfo, as required by the rsa_pss_pss_* signature schemes in TLS 1.3 and by some hardware consumers. Fixes #10655 https://claude.ai/code/session_01HBR1P3RLnJ6r2avs6DZxUy
The Python layer validates rsa_padding in public_key(), so the value is always either None or the PSS class by the time it reaches Rust, like every other builder attribute. https://claude.ai/code/session_01HBR1P3RLnJ6r2avs6DZxUy
alex
reviewed
Jun 9, 2026
Comment on lines
+962
to
+972
| :param rsa_padding: The uninstantiated | ||
| :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` | ||
| class (not an instance), only valid with | ||
| :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. | ||
| When set, the certificate's ``subjectPublicKeyInfo`` encodes the | ||
| key with the ``id-RSASSA-PSS`` OID and no parameters (the | ||
| unrestricted form from :rfc:`4055`) instead of ``rsaEncryption``, | ||
| marking the key as usable only for RSASSA-PSS signatures. It does | ||
| not change how this certificate itself is signed; use the | ||
| ``rsa_padding`` parameter of :meth:`sign` to control that. | ||
|
|
Member
There was a problem hiding this comment.
The docs feel slightly off to me, but I don't have a more concrete suggestion. Might need a human pass rewrite?
Comment on lines
+1065
to
+1081
| let spki_der: &[u8] = if py_public_key_rsa_padding.is_none() { | ||
| &spki_bytes | ||
| } else { | ||
| // The Python layer ensures this is only ever the PSS class. | ||
| let spki = asn1::parse_single::<common::SubjectPublicKeyInfo<'_>>(&spki_bytes)?; | ||
| // id-RSASSA-PSS with the parameters absent (the unrestricted form | ||
| // from RFC 4055), which is the encoding required for the TLS 1.3 | ||
| // rsa_pss_pss_* signature schemes. | ||
| pss_spki_bytes = asn1::write_single(&common::SubjectPublicKeyInfo { | ||
| algorithm: common::AlgorithmIdentifier { | ||
| oid: asn1::DefinedByMarker::marker(), | ||
| params: AlgorithmParameters::RsaPss(None), | ||
| }, | ||
| subject_public_key: spki.subject_public_key, | ||
| })?; | ||
| &pss_spki_bytes | ||
| }; |
Member
There was a problem hiding this comment.
I think this round trips too much -- the usage line is asn1::parse_single(spki_der)?. We should just do that in the non-PSS case, and in the other case we can skip the write_single.
Address review feedback: parse the SPKI bytes once in the default case, and in the PSS case build the WithTlv value directly via a new constructor rather than round-tripping through write_single. https://claude.ai/code/session_01HBR1P3RLnJ6r2avs6DZxUy
alex
reviewed
Jun 9, 2026
| :param public_key: The subject's public key. This can be one of | ||
| :data:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`. | ||
|
|
||
| :param rsa_padding: The uninstantiated |
"uninstantiated" is not in the dictionary; say "the PSS class (not an instance)" instead. https://claude.ai/code/session_01HBR1P3RLnJ6r2avs6DZxUy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for encoding RSA public keys in X.509 certificates with the
id-RSASSA-PSSOID and no parameters (the unrestricted form from RFC 4055), which marks the key as usable only for RSASSA-PSS signatures. This is required for TLS 1.3rsa_pss_pss_*signature schemes.Changes
Python API: Added
rsa_paddingkeyword-only parameter toCertificateBuilder.public_key()that accepts the uninstantiatedPSSclass (not an instance). When provided with an RSA public key, the certificate'ssubjectPublicKeyInfois encoded with theid-RSASSA-PSSOID and no parameters instead of the standardrsaEncryptionOID.Validation: Added type checking to ensure:
rsa_paddingmust be thePSSclass itself, not an instancersa_paddingis only valid withRSAPublicKeytypesTypeErrorexceptions are raised for invalid usageRust implementation: Modified certificate creation to detect when PSS padding is specified and rewrite the SPKI (SubjectPublicKeyInfo) structure with the
id-RSASSA-PSSOID and absent parameters, while preserving the actual public key material.State management: Updated
CertificateBuilder.__init__()and all builder methods to properly thread the_public_key_rsa_paddingstate through the builder chain.Documentation: Updated reference documentation and CHANGELOG to describe the new parameter and its behavior.
Implementation Details
rsa_paddingparameter does not affect how the certificate itself is signed; it only controls the encoding of the subject public key in the certificate. Thersa_paddingparameter of thesign()method continues to control the certificate's signature algorithm.rsa_paddingparameter, and rejection ofrsa_paddingwith non-RSA keys.https://claude.ai/code/session_01HBR1P3RLnJ6r2avs6DZxUy