Add RSA-PSS key certificate type.

 */

static const SSL_CERT_LOOKUP ssl_cert_info [] = {

    {EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */

    {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */

    {EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */

    {EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */

    {NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */

/* Mostly for SSLv3 */

# define SSL_PKEY_RSA            0

# define SSL_PKEY_DSA_SIGN       1

# define SSL_PKEY_ECC            2

# define SSL_PKEY_GOST01         3

# define SSL_PKEY_GOST12_256     4

# define SSL_PKEY_GOST12_512     5

# define SSL_PKEY_ED25519        6

# define SSL_PKEY_NUM            7

# define SSL_PKEY_RSA_PSS_SIGN   1

# define SSL_PKEY_DSA_SIGN       2

# define SSL_PKEY_ECC            3

# define SSL_PKEY_GOST01         4

# define SSL_PKEY_GOST12_256     5

# define SSL_PKEY_GOST12_512     6

# define SSL_PKEY_ED25519        7

# define SSL_PKEY_NUM            8

/*

 * Pseudo-constant. GOST cipher suites can use different certs for 1

 * SSL_CIPHER. So let's see which one we have in fact.

 */

# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1

/*

 * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS

 */

#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA

/*-

 * SSL_kRSA <- RSA_ENC

 * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)

 */

static const uint16_t tls_default_sigalg[] = {

    TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */

    0, /* SSL_PKEY_RSA_PSS_SIGN */

    TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */

    TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */

    TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */

void tls1_set_cert_validity(SSL *s)

{

    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);

    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);

    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);

    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);

    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);