BER Decode Error with X509Cert RSA PSS SHA256 Cert

[FrankSapone]

Hello,

I've tried creating a cert as follows with openssl

openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:2048 -out root.key
openssl req -new -key root.key -out root.csr -config root_req.config
openssl ca -in root.csr -out root.crt -config root.config -selfsign -extfile ca.ext -days 7305
openssl x509 -in root.crt -outform PEM -out root.pem

then in my C++ code:
StringSource ss(certStr, true);

	PEM_Load(ss, m_Cert);

It will fail eventually down the path and with some debugging it appears it fails at the BERDecodeSignatureAlgorithm(tbsCertificate, m_subjectSignatureAlgortihm);. More specifically at bool parametersPresent = seq.EndReached() ? false : BERDecodeAlgorithmParameters(seq);
where it reaches BERDecodeAlgorithmParameters.

I have not tried dumpasn as I do not have it installed, but I assume sequence is different and is causing problems.

Basically, I am trying to generate certificate that uses PSS with SHA256 in order to avoid SonarLint complaining about PCKS1v15 being not secure enough. I am trying to make my web server generate a certificate for the user and the user inputs the cert to an app for verification that it was signed by the server CA. I am new to crypto and certs so I may be doing some things wrong. It seems OAEP is the right thing to use but I have no idea how to generate this or use it with cryptopp and x509certificate libs?

Thanks,
Frank

[r0g3r3k]

I have hit the same issue. Problem is that PSS signatures have non-NULL parameters, see RFC 5280, section 4.1.1.2, https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.2
But this fails in BERDecodeAlgorithmParameters() which calls BERDecodeNull()