Add support to verify RSA signatures
lmammino opened this issue · comments
The current implementation only supports EC P-256 signatures.
Some test certs use RSA (example data CH/2DCode/raw/1.json
).
Specification is scattered a bit around, but this is probably the best i could find: https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v1_en.pdf
Pagg 5-6 say:
The Signature Algorithm (alg) parameter indicates what algorithm is used for the creating the
signature. It must meet or exceed current SOG-IT guidelines.
One primary and one secondary algorithm is defined. The secondary algorithm should only be
used if the primary algorithm is not acceptable within the rules and regulations imposed on the
implementor.
However, it is essential and of utmost importance for the security of the system that all
implementations incorporate the secondary algorithm. For this reason, both the primary and
the secondary algorithm MUST be implemented.
For this version of the specification, the SOG-IT set levels for the primary and secondary
algorithms are:
- Primary Algorithm: The primary algorithm is Elliptic Curve Digital Signature Algorithm
(ECDSA) as defined in (ISO/IEC 14888–3:2006) section 2.3, using the P–256 parameters as defined in appendix D (D.1.2.3) of (FIPS PUB 186–4) in combination the
SHA–256 hash algorithm as defined in (ISO/IEC 10118–3:2004) function 4.This corresponds to the COSE algorithm parameter ES256.
- Secondary Algorithm: The secondary algorithm is RSASSA-PSS as defined in (RFC 8230) with a modulus of 2048 bits in combination with the SHA–256 hash algorithm as
defined in (ISO/IEC 10118–3:2004) function 4.This corresponds to the COSE algorithm parameter: PS256
I started at least. Can you link the specification in the issue so hopefully later I can continue?
@lu-zero added some references to the spec in the issue description (sorry i missed your comment above when you posted it :/ )