Bug 1425514 - certutil has multiple issues in handling RSA-PSS certificates
Summary: certutil has multiple issues in handling RSA-PSS certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Hubert Kario
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: rhel7-rsa-pss-in-nss
TreeView+ depends on / blocked
 
Reported: 2017-02-21 15:45 UTC by Hubert Kario
Modified: 2019-04-21 07:27 UTC (History)
3 users (show)

Fixed In Version: nss-3.34.0-0.1.beta1.el7
Doc Type: Technology Preview
Doc Text:
.Support for certificates signed with `RSA-PSS` in `certutil` has been improved Support for certificates signed with the `RSA-PSS` algorithm in the `certutil` tool has been improved. Notable enhancements and fixes include: * The `--pss` option is now documented. * The `PKCS#1 v1.5` algorithm is no longer used for self-signed signatures when a certificate is restricted to use `RSA-PSS`. * Empty `RSA-PSS` parameters in the `subjectPublicKeyInfo` field are no longer printed as invalid when listing certificates. * The `--pss-sign` option for creating regular RSA certificates signed with the `RSA-PSS` algorithm has been added. Support for certificates signed with `RSA-PSS` in `certutil` is provided as a Technology Preview.
Clone Of:
Environment:
Last Closed: 2018-04-10 09:25:43 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 158750 0 P2 NEW [Meta] Support RSAPSS 2020-12-03 14:33:29 UTC
Mozilla Foundation 1341302 0 -- RESOLVED certutil --pss is undocumented 2020-12-03 14:33:27 UTC
Mozilla Foundation 1341306 0 P3 RESOLVED NSS will self-sign a RSA-PSS certificate using RSASSA-PKCS1-v1_5 2020-12-03 14:33:27 UTC
Mozilla Foundation 1341316 0 -- RESOLVED NSS recognises empty PSS-certificate public key parameters as invalid 2020-12-03 14:33:27 UTC
Mozilla Foundation 1415171 0 -- RESOLVED cryptohi: Fix handling of default parameters in non-empty RSS-PSS parameters field 2020-12-03 14:33:28 UTC
Mozilla Foundation 1415187 0 -- RESOLVED certutil: Don't restrict RSA-PSS certificate to specific hash algorithm unless -Z is given 2020-12-03 14:33:28 UTC
Mozilla Foundation 1423557 0 -- RESOLVED cryptohi: make RSA-PSS parameter check stricter 2020-12-03 14:33:28 UTC
Red Hat Bugzilla 1431210 0 high CLOSED Import of pkcs#12 with RSA-PSS certificates does not work with pk12util 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2018:0679 0 None None None 2018-04-10 09:26:39 UTC

Internal Links: 1431210

Description Hubert Kario 2017-02-21 15:45:57 UTC 
Description of problem:
1. The --pss option to certutil is undocumented
2. NSS will self-sign RSA-PSS certificates using RSASSA-PKCS#1 v1.5 algorithm
3. NSS recognised empty RSA-PSS certificate public key parameters as invalid
4. There is no documented way how to create regular RSA certificates with RSA-PSS signature

Version-Release number of selected component (if applicable):
upstream 3.29.2 beta

How reproducible:
Always

Steps to Reproduce:
mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
y


certutil -L -d sql:nssdb/ -n rsaca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=RSA PSS Testing CA"
        Validity:
            Not Before: Tue Feb 21 15:05:16 2017
            Not After : Wed Feb 21 15:05:16 2018
        Subject: "CN=RSA PSS Testing CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
                Parameters:
                    Invalid RSA-PSS parameters
            RSA Public Key:
                Modulus:
                    ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a:
                    8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98:
                    36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94:
                    a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a:
                    85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba:
                    d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d:
                    69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32:
                    11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7:
                    b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23:
                    7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95:
                    34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:
                    a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:
                    36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:
                    ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3:
                    dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 0.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:
        6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:
        44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:
        fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6:
        2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b:
        52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53:
        9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8:
        7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f:
        6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
        68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:
        55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:
        9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:
        69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76:
        cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75:
        ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5:
        f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01
    Fingerprint (SHA-256):
        E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59
    Fingerprint (SHA1):
        24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User



at the same time, openssl recognises it as "No PSS parameter restrictions":

openssl x509 -in cert.pem -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = RSA PSS Testing CA
        Validity
            Not Before: Feb 21 15:05:16 2017 GMT
            Not After : Feb 21 15:05:16 2018 GMT
        Subject: CN = RSA PSS Testing CA
        Subject Public Key Info:
            Public Key Algorithm: rsassaPss
                RSA-PSS Public-Key: (2048 bit)
                Modulus:
                    00:ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:
                    b6:9a:8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:
                    8a:9b:98:36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:
                    db:d0:fc:94:a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:
                    45:0c:30:33:7a:85:98:e4:f9:5c:bc:98:75:73:92:
                    5c:85:25:5a:da:ba:d6:77:f6:96:35:d2:43:b3:da:
                    b5:4e:e4:e5:d3:0a:1d:69:dc:c9:76:47:af:a3:08:
                    3c:1b:7b:3f:7f:1b:aa:32:11:56:17:37:11:e0:62:
                    8c:bf:6e:21:b2:bc:df:da:b7:b8:f5:64:d4:91:d6:
                    01:77:3b:62:b3:e7:4b:00:29:23:7b:be:e7:b0:f5:
                    dd:5f:75:87:45:06:9e:0f:17:9b:95:34:57:d4:5e:
                    90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:a4:e8:2f:
                    aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:36:d6:
                    f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:ee:
                    39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:
                    d3:dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:
                    ce:d7
                Exponent: 65537 (0x10001)
                No PSS parameter restrictions
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:6c:b4:
         fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:44:0c:9b:98:
         ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:fc:7e:2b:69:8d:9b:
         a3:03:14:7b:9f:cb:76:75:d4:e6:2c:3b:d0:b3:5a:a8:0d:2e:
         c4:27:fe:dc:35:28:87:6b:52:05:5a:68:46:3e:44:21:06:9c:
         77:0e:38:e8:ca:53:9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:
         de:35:5f:f8:7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:
         2d:6f:6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
         68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:55:55:
         dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:9b:96:59:b8:
         0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:69:8e:de:9c:eb:6f:
         8e:7a:1d:e1:a8:37:f6:ea:68:76:cd:92:46:0e:92:7f:af:47:
         cc:2a:27:d1:31:d0:2f:75:ea:9c:a6:14:86:ea:11:9d:f8:0e:
         c3:b0:84:c3:9f:b5:f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:
         91:d9:bd:01

but looking at ASN.1 decoding, it looks like they are simply missing:

openssl asn1parse -in cert.pem 
    0:d=0  hl=4 l= 730 cons: SEQUENCE          
    4:d=1  hl=4 l= 450 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   2 prim: INTEGER           :03E8
   17:d=2  hl=2 l=  13 cons: SEQUENCE          
   19:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   30:d=3  hl=2 l=   0 prim: NULL              
   32:d=2  hl=2 l=  29 cons: SEQUENCE          
   34:d=3  hl=2 l=  27 cons: SET               
   36:d=4  hl=2 l=  25 cons: SEQUENCE          
   38:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   43:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
   63:d=2  hl=2 l=  30 cons: SEQUENCE          
   65:d=3  hl=2 l=  13 prim: UTCTIME           :170221150516Z
   80:d=3  hl=2 l=  13 prim: UTCTIME           :180221150516Z
   95:d=2  hl=2 l=  29 cons: SEQUENCE          
   97:d=3  hl=2 l=  27 cons: SET               
   99:d=4  hl=2 l=  25 cons: SEQUENCE          
  101:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  106:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
  126:d=2  hl=4 l= 288 cons: SEQUENCE          
  130:d=3  hl=2 l=  11 cons: SEQUENCE          
  132:d=4  hl=2 l=   9 prim: OBJECT            :rsassaPss
  143:d=3  hl=4 l= 271 prim: BIT STRING        
  418:d=2  hl=2 l=  38 cons: cont [ 3 ]        
  420:d=3  hl=2 l=  36 cons: SEQUENCE          
  422:d=4  hl=2 l=  18 cons: SEQUENCE          
  424:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  429:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  432:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020100
  442:d=4  hl=2 l=  14 cons: SEQUENCE          
  444:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  449:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  452:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020186
  458:d=1  hl=2 l=  13 cons: SEQUENCE          
  460:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  471:d=2  hl=2 l=   0 prim: NULL              
  473:d=1  hl=4 l= 257 prim: BIT STRING

openssl asn1parse -in cert.pem -strparse 143
    0:d=0  hl=4 l= 266 cons: SEQUENCE          
    4:d=1  hl=4 l= 257 prim: INTEGER           :EDB73F87DEA93A03D40813AAB5ABB69A8FE9357128D4DBE277480BE6D88A9B9836A3E5DCCC9302D13A44AC29DBD0FC94A20DAEC1F21C401AB80BD3450C30337A8598E4F95CBC987573925C85255ADABAD677F69635D243B3DAB54EE4E5D30A1D69DCC97647AFA3083C1B7B3F7F1BAA321156173711E0628CBF6E21B2BCDFDAB7B8F564D491D601773B62B3E74B0029237BBEE7B0F5DD5F758745069E0F179B953457D45E907C8A2FC9FA13A33B78DAE4A4E82FAA61B11B43D3E2D0A0CB6B9E5536D6F7E244516A2FB00AE7883684A1AAEE3916C9930375115669F9D7350E695D43F6246FFCC96A2692076FA0F3A203D3DC017305F27A02E6BB2A532252C7CED7
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

Additional info:
Comment 1 Kai Engert (:kaie) (inactive account) 2017-02-22 18:55:18 UTC 
It isn't clear if we'll be able to get these issues fixed for rhel 7.4.0, and who will work on them.

Volunteers welcome.

Bob suggested, it would be good to get the incorrect behavior fixed, because if we ship an incorrect behavior in 7.4.0, it would be difficult to switch to a different behavior in later 7.x releases.
Comment 22 errata-xmlrpc 2018-04-10 09:25:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679
Note You need to log in before you can comment on or make changes to this bug.