Bug 1708260

Summary: RSA-PSS keys generated by NSS when exported to PKCS#12 file use the rsaEncryption identifier
Product: Red Hat Enterprise Linux 8 Reporter: Ivan Nikolchev <inikolch>
Component: nssAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED UPSTREAM QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.0CC: dueno, hkario, rrelyea
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-15 13:55:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Nikolchev 2019-05-09 13:22:10 UTC 
Description of problem:
When you generate RSA-PSS keys with NSS and later export them to PKCS#12 and inspect the decrypted key, we can see that rsaEncryption OID is used instead of rsassaPss

Version-Release number of selected component (if applicable):
nss-3.41.0-5.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 
Is this a critical extension [y/N]?
y

pk12util -o p12file -n rsaca -d sql:nssdb

Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL

openssl pkcs12 -in p12file -nodes -nocerts > privatekey.pem
openssl asn1parse -in privatekey.pem -inform PEM -strictpem


Actual results:
rsaEncryption OID used

Expected results:
rsassaPss OID used

Additional info:
openssl x509 -noout -text -in cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)
        Issuer: CN = RSA PSS Testing CA
        Validity
            Not Before: May  9 12:23:21 2019 GMT
            Not After : May  9 12:23:21 2020 GMT
        Subject: CN = RSA PSS Testing CA
        Subject Public Key Info:
            Public Key Algorithm: rsassaPss
                RSA-PSS Public-Key: (2048 bit)
                Modulus:
                    00:ce:60:e3:85:33:92:0b:92:fd:b2:13:ed:10:c6:
                    e9:e1:9b:e5:84:78:96:02:4f:d3:6d:78:4d:13:78:
                    06:0a:33:3f:e5:a2:52:15:f4:9a:07:33:0d:73:ae:
                    cc:cd:f1:b4:e3:9e:12:26:fe:b5:d2:6d:e7:7e:5e:
                    3d:ee:b5:b4:6a:e3:93:9e:38:d6:cd:9a:68:4f:96:
                    b3:68:d3:ee:19:e0:2b:e1:7e:d8:35:20:a9:56:89:
                    06:85:3c:47:5d:18:a1:13:9f:3e:c3:8b:64:de:b8:
                    33:1e:29:bd:c1:d3:be:9b:fd:a4:c2:eb:38:f3:50:
                    54:9e:43:fe:97:48:06:c7:39:92:48:ab:a9:02:06:
                    88:26:6d:9f:65:62:15:92:95:9d:f4:19:07:80:00:
                    e6:f3:3e:2a:76:5c:f5:6e:6c:a3:1a:cb:74:b6:43:
                    db:69:b3:f9:a7:fb:76:6f:dd:48:02:e8:88:e2:21:
                    90:94:f0:60:1b:6f:1f:eb:2f:9e:4c:45:f9:61:7c:
                    a0:8c:85:f4:18:e8:52:65:ff:e0:85:02:e9:5c:a1:
                    0d:7d:c8:73:54:c4:f2:d7:1d:29:c2:de:1d:cd:5f:
                    35:d5:7f:27:f8:ef:7e:15:32:cb:26:fc:21:04:18:
                    f0:e9:f0:2a:c8:82:84:d7:d3:8a:46:ad:ac:1a:21:
                    83:ff
                Exponent: 65537 (0x10001)
                PSS parameter restrictions:
                  Hash Algorithm: sha256
                  Mask Algorithm: mgf1 with sha256
                  Minimum Salt Length: 0x20
                  Trailer Field: 0xBC (default)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)

         bc:b7:5d:57:56:97:ca:7e:6b:6c:1a:49:e3:e5:57:b3:ad:c9:
         e2:dd:e2:17:f6:3f:d0:76:7c:f7:6d:27:ec:a6:2c:6a:ee:27:
         6c:8d:6c:ad:90:fb:70:26:9f:48:71:c0:69:c3:e6:c0:9f:f4:
         88:77:8f:62:a9:60:5e:5f:40:36:5f:f0:45:3d:de:ea:81:55:
         5c:04:32:d0:72:5a:50:0a:f3:cd:7d:f4:cd:ce:e6:b7:05:d0:
         18:00:ee:14:d7:ce:35:1f:ee:10:f0:fa:26:54:9b:fb:61:14:
         c0:63:3a:6c:8f:77:9b:27:99:82:07:10:a8:38:a5:e2:d8:d5:
         62:55:88:34:a2:8a:0e:1b:2f:83:75:60:0c:44:2e:21:2e:c8:
         7c:83:6b:82:9e:27:f1:94:6b:c4:61:ab:74:23:03:7a:fb:b8:
         3c:fe:1e:43:fb:dc:1b:bb:96:ba:15:29:e3:cd:5a:8d:9f:b5:
         bb:dd:44:49:dc:38:4b:a9:57:86:ad:f1:6f:24:4d:e7:e1:a7:
         7e:b5:d5:b1:e6:b6:dd:0e:d5:bc:ef:ea:35:00:b7:b5:81:b2:
         c0:5a:fe:d2:3c:41:1e:dd:98:13:ef:6a:0d:d3:05:a9:f4:20:
         b2:21:de:e9:38:d3:58:4e:92:0b:85:93:55:53:ed:75:d0:be:
         5e:4b:14:53