Loading src/ssl.cpp +10 −0 Original line number Original line Diff line number Diff line Loading @@ -1536,6 +1536,16 @@ std::vector<uint8_t> netplus::ssl::_tls13_build_certificate_verify() // TLS 1.3 RFC 8446 Section 4.4.3: For RSA signatures, RSASSA-PSS algorithms MUST be used. // TLS 1.3 RFC 8446 Section 4.4.3: For RSA signatures, RSASSA-PSS algorithms MUST be used. // rsa_pkcs1_* algorithms are NOT allowed for CertificateVerify in TLS 1.3. // rsa_pkcs1_* algorithms are NOT allowed for CertificateVerify in TLS 1.3. // Ensure RSA key is loaded from privateKeyDer if not already if (_selected_cert_bundle && !_selected_cert_bundle->rsa_key && !_selected_cert_bundle->privateKeyDer.empty()) { try { _selected_cert_bundle->rsa_key = netplus::rsa(_selected_cert_bundle->privateKeyDer); } catch (const std::exception& e) { fprintf(stderr, "[TLS] Warning: Failed to load RSA key from privateKeyDer: %s\n", e.what()); } } if (_selected_cert_bundle && _selected_cert_bundle->rsa_key) { if (_selected_cert_bundle && _selected_cert_bundle->rsa_key) { // For TLS 1.3, we MUST use RSA-PSS-RSAE-SHA256 (0x0804) // For TLS 1.3, we MUST use RSA-PSS-RSAE-SHA256 (0x0804) // PKCS#1 v1.5 (0x0401) is NOT allowed for CertificateVerify in TLS 1.3 // PKCS#1 v1.5 (0x0401) is NOT allowed for CertificateVerify in TLS 1.3 Loading Loading
src/ssl.cpp +10 −0 Original line number Original line Diff line number Diff line Loading @@ -1536,6 +1536,16 @@ std::vector<uint8_t> netplus::ssl::_tls13_build_certificate_verify() // TLS 1.3 RFC 8446 Section 4.4.3: For RSA signatures, RSASSA-PSS algorithms MUST be used. // TLS 1.3 RFC 8446 Section 4.4.3: For RSA signatures, RSASSA-PSS algorithms MUST be used. // rsa_pkcs1_* algorithms are NOT allowed for CertificateVerify in TLS 1.3. // rsa_pkcs1_* algorithms are NOT allowed for CertificateVerify in TLS 1.3. // Ensure RSA key is loaded from privateKeyDer if not already if (_selected_cert_bundle && !_selected_cert_bundle->rsa_key && !_selected_cert_bundle->privateKeyDer.empty()) { try { _selected_cert_bundle->rsa_key = netplus::rsa(_selected_cert_bundle->privateKeyDer); } catch (const std::exception& e) { fprintf(stderr, "[TLS] Warning: Failed to load RSA key from privateKeyDer: %s\n", e.what()); } } if (_selected_cert_bundle && _selected_cert_bundle->rsa_key) { if (_selected_cert_bundle && _selected_cert_bundle->rsa_key) { // For TLS 1.3, we MUST use RSA-PSS-RSAE-SHA256 (0x0804) // For TLS 1.3, we MUST use RSA-PSS-RSAE-SHA256 (0x0804) // PKCS#1 v1.5 (0x0401) is NOT allowed for CertificateVerify in TLS 1.3 // PKCS#1 v1.5 (0x0401) is NOT allowed for CertificateVerify in TLS 1.3 Loading
