The `CKA_PUBLIC_KEY_INFO` should report the RSA-PSS algorithm ID for RSA keys with RSA-PSS restricted `CKA_ALLOWED_MECHANISMS`

[Jakuje]

This was discussed in the pkcs11-provider PR latchset/pkcs11-provider#665 (comment) that the SPKI for the RSA-PSS-restricted keys should likely be the RSA-PSS algorithm ID. The specs is not specific enough though and without examples its just guessing.

The attribute on the Certificate object says the following, which suggests it needs to be consistent with the certificate algorithm (which is RSA-PSS when we create the key as RSA-PSS restricted:

DER-encoding of the SubjectPublicKeyInfo for the public key contained in this certificate (default empty)

The definition on the private key is more blurry, but from the last part (emphasis mine), I could derive that it should use the RSA-PSS OID if there is CKA_ALLOWED_MECHANISMS restriction to use only RSA-PSS:

DER-encoding of the SubjectPublicKeyInfo for the associated public key (MAY be empty; DEFAULT derived from the underlying private key data; MAY be manually set for specific key types; if set; MUST be consistent with the underlying private key data)

[simo5]

In some way I wonder if we should use CKA_PUBLIC_KEY_INFO to determine what type of key we are meant to use.

This would require the key generation application to modify the private key after it is generated by storing into it a new CKA_PUBLIC_KEY_INFO re-encode for PSS.

The good about this is that it does not require special handling of CKA_ALLOWED_MECHANISMS, the bad is that the application needs to know how to encode an SPKI ...

Either way, having this attribute properly encoded would make the pkcs11-provider code sipler as all it needs is to check the OID in the SPKI to know what type of RSA key this is ...