I have 2 needs:
- Usecase 1) Generate a key pair and do RSASSA-PKCSv1.5 signatures.
- Usecase 2) Generate a key pair and do RSASSA-PSS signatures.
I am wondering how to generate the keys with OpenSSL, especially by using the argument -algorithm of genpkey.
- For Usecase 1), I have no specific question, my intention is to do:
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out key_pkcs.pem
openssl dgst -sha256 -sign key_pkcs.pem -out output.sig testfile.txt
=> Is it OK?
- For Usecase 2), I see 2 possibilities:
Solution A:
openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:2048 -out key_pss.pem
openssl dgst -sha256 -sign key_pss.pem -out output.sig testfile.txt
Solution B:
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out key_pss.pem
openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sign key_pss.pem -out output.sig testfile.txt
Are solutions A and B equivalent?
Which one is preferable?
=> I prefere solution B, because it will offer me the possibility to generate RSA key pairs in a standard way with one unique/common command, regardless of their usage afterward (= either for PKCS or PSS signature usage).
=> My analysis: Solution A does not offer the possibility to do PKCS signature (only PSS padding will be possible), whereas Solution B allows to use the key to be used for PKCS or PSS signature, correct?
Thank you in advance for your help!
