Add OID for RSASSA-PSS X.509 signature algorithm (RFC 4056)

In 2005, IETF devised a more secure padding scheme to replace PKCS pyca#1
v1.5. To make sure that nobody can easily support or use it, they
mandated lots of complicated parameters in the certificate, unlike any
other X.509 signature scheme.

https://tools.ietf.org/html/rfc4056

`_SIG_OIDS_TO_HASH` and `Certificate.signature_hash_algorithm` cannot be
supported as-is, because the hash algorithm is defined in the signature
algorithm parameters, not by the OID itself.

src/cryptography/x509/__init__.py

@@ -74,6 +74,7 @@
 OID_RSA_WITH_SHA256 = SignatureAlgorithmOID.RSA_WITH_SHA256
 OID_RSA_WITH_SHA384 = SignatureAlgorithmOID.RSA_WITH_SHA384
 OID_RSA_WITH_SHA512 = SignatureAlgorithmOID.RSA_WITH_SHA512
+OID_RSASSA_PSS = SignatureAlgorithmOID.RSASSA_PSS
 
 OID_COMMON_NAME = NameOID.COMMON_NAME
 OID_COUNTRY_NAME = NameOID.COUNTRY_NAME

src/cryptography/x509/oid.py

@@ -137,6 +137,7 @@ class SignatureAlgorithmOID(object):
     RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
     RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
     RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
+    RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
     ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
     ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
     ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
@@ -221,6 +222,7 @@ class CertificatePoliciesOID(object):
     SignatureAlgorithmOID.RSA_WITH_SHA256: "sha256WithRSAEncryption",
     SignatureAlgorithmOID.RSA_WITH_SHA384: "sha384WithRSAEncryption",
     SignatureAlgorithmOID.RSA_WITH_SHA512: "sha512WithRSAEncryption",
+    SignatureAlgorithmOID.RSASSA_PSS: "RSASSA-PSS",
     SignatureAlgorithmOID.ECDSA_WITH_SHA1: "ecdsa-with-SHA1",
     SignatureAlgorithmOID.ECDSA_WITH_SHA224: "ecdsa-with-SHA224",
     SignatureAlgorithmOID.ECDSA_WITH_SHA256: "ecdsa-with-SHA256",