1425514 – certutil has multiple issues in handling RSA-PSS certificates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1425514 - certutil has multiple issues in handling RSA-PSS certificates

Summary: certutil has multiple issues in handling RSA-PSS certificates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	Hubert Kario
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	rhel7-rsa-pss-in-nss
TreeView+	depends on / blocked

Reported:	2017-02-21 15:45 UTC by Hubert Kario
Modified:	2019-04-21 07:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:	nss-3.34.0-0.1.beta1.el7
Doc Type:	Technology Preview
Doc Text:	.Support for certificates signed with `RSA-PSS` in `certutil` has been improved Support for certificates signed with the `RSA-PSS` algorithm in the `certutil` tool has been improved. Notable enhancements and fixes include: * The `--pss` option is now documented. * The `PKCS#1 v1.5` algorithm is no longer used for self-signed signatures when a certificate is restricted to use `RSA-PSS`. * Empty `RSA-PSS` parameters in the `subjectPublicKeyInfo` field are no longer printed as invalid when listing certificates. * The `--pss-sign` option for creating regular RSA certificates signed with the `RSA-PSS` algorithm has been added. Support for certificates signed with `RSA-PSS` in `certutil` is provided as a Technology Preview.
Clone Of:
Environment:
Last Closed:	2018-04-10 09:25:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Mozilla Foundation	158750	P2	NEW	[Meta] Support RSAPSS	2020-12-03 14:33:29 UTC
Mozilla Foundation	1341302	--	RESOLVED	certutil --pss is undocumented	2020-12-03 14:33:27 UTC
Mozilla Foundation	1341306	P3	RESOLVED	NSS will self-sign a RSA-PSS certificate using RSASSA-PKCS1-v1_5	2020-12-03 14:33:27 UTC
Mozilla Foundation	1341316	--	RESOLVED	NSS recognises empty PSS-certificate public key parameters as invalid	2020-12-03 14:33:27 UTC
Mozilla Foundation	1415171	--	RESOLVED	cryptohi: Fix handling of default parameters in non-empty RSS-PSS parameters field	2020-12-03 14:33:28 UTC
Mozilla Foundation	1415187	--	RESOLVED	certutil: Don't restrict RSA-PSS certificate to specific hash algorithm unless -Z is given	2020-12-03 14:33:28 UTC
Mozilla Foundation	1423557	--	RESOLVED	cryptohi: make RSA-PSS parameter check stricter	2020-12-03 14:33:28 UTC
Red Hat Bugzilla	1431210	high	CLOSED	Import of pkcs#12 with RSA-PSS certificates does not work with pk12util	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHEA-2018:0679	None	None	None	2018-04-10 09:26:39 UTC

Internal Links: 1431210

Description Hubert Kario 2017-02-21 15:45:57 UTC

Description of problem:
1. The --pss option to certutil is undocumented
2. NSS will self-sign RSA-PSS certificates using RSASSA-PKCS#1 v1.5 algorithm
3. NSS recognised empty RSA-PSS certificate public key parameters as invalid
4. There is no documented way how to create regular RSA certificates with RSA-PSS signature

Version-Release number of selected component (if applicable):
upstream 3.29.2 beta

How reproducible:
Always

Steps to Reproduce:
mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
y


certutil -L -d sql:nssdb/ -n rsaca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=RSA PSS Testing CA"
        Validity:
            Not Before: Tue Feb 21 15:05:16 2017
            Not After : Wed Feb 21 15:05:16 2018
        Subject: "CN=RSA PSS Testing CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
                Parameters:
                    Invalid RSA-PSS parameters
            RSA Public Key:
                Modulus:
                    ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a:
                    8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98:
                    36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94:
                    a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a:
                    85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba:
                    d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d:
                    69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32:
                    11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7:
                    b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23:
                    7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95:
                    34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:
                    a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:
                    36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:
                    ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3:
                    dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 0.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:
        6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:
        44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:
        fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6:
        2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b:
        52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53:
        9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8:
        7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f:
        6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
        68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:
        55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:
        9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:
        69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76:
        cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75:
        ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5:
        f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01
    Fingerprint (SHA-256):
        E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59
    Fingerprint (SHA1):
        24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User



at the same time, openssl recognises it as "No PSS parameter restrictions":

openssl x509 -in cert.pem -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = RSA PSS Testing CA
        Validity
            Not Before: Feb 21 15:05:16 2017 GMT
            Not After : Feb 21 15:05:16 2018 GMT
        Subject: CN = RSA PSS Testing CA
        Subject Public Key Info:
            Public Key Algorithm: rsassaPss
                RSA-PSS Public-Key: (2048 bit)
                Modulus:
                    00:ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:
                    b6:9a:8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:
                    8a:9b:98:36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:
                    db:d0:fc:94:a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:
                    45:0c:30:33:7a:85:98:e4:f9:5c:bc:98:75:73:92:
                    5c:85:25:5a:da:ba:d6:77:f6:96:35:d2:43:b3:da:
                    b5:4e:e4:e5:d3:0a:1d:69:dc:c9:76:47:af:a3:08:
                    3c:1b:7b:3f:7f:1b:aa:32:11:56:17:37:11:e0:62:
                    8c:bf:6e:21:b2:bc:df:da:b7:b8:f5:64:d4:91:d6:
                    01:77:3b:62:b3:e7:4b:00:29:23:7b:be:e7:b0:f5:
                    dd:5f:75:87:45:06:9e:0f:17:9b:95:34:57:d4:5e:
                    90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:a4:e8:2f:
                    aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:36:d6:
                    f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:ee:
                    39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:
                    d3:dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:
                    ce:d7
                Exponent: 65537 (0x10001)
                No PSS parameter restrictions
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:6c:b4:
         fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:44:0c:9b:98:
         ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:fc:7e:2b:69:8d:9b:
         a3:03:14:7b:9f:cb:76:75:d4:e6:2c:3b:d0:b3:5a:a8:0d:2e:
         c4:27:fe:dc:35:28:87:6b:52:05:5a:68:46:3e:44:21:06:9c:
         77:0e:38:e8:ca:53:9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:
         de:35:5f:f8:7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:
         2d:6f:6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
         68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:55:55:
         dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:9b:96:59:b8:
         0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:69:8e:de:9c:eb:6f:
         8e:7a:1d:e1:a8:37:f6:ea:68:76:cd:92:46:0e:92:7f:af:47:
         cc:2a:27:d1:31:d0:2f:75:ea:9c:a6:14:86:ea:11:9d:f8:0e:
         c3:b0:84:c3:9f:b5:f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:
         91:d9:bd:01

but looking at ASN.1 decoding, it looks like they are simply missing:

openssl asn1parse -in cert.pem 
    0:d=0  hl=4 l= 730 cons: SEQUENCE          
    4:d=1  hl=4 l= 450 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   2 prim: INTEGER           :03E8
   17:d=2  hl=2 l=  13 cons: SEQUENCE          
   19:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   30:d=3  hl=2 l=   0 prim: NULL              
   32:d=2  hl=2 l=  29 cons: SEQUENCE          
   34:d=3  hl=2 l=  27 cons: SET               
   36:d=4  hl=2 l=  25 cons: SEQUENCE          
   38:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   43:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
   63:d=2  hl=2 l=  30 cons: SEQUENCE          
   65:d=3  hl=2 l=  13 prim: UTCTIME           :170221150516Z
   80:d=3  hl=2 l=  13 prim: UTCTIME           :180221150516Z
   95:d=2  hl=2 l=  29 cons: SEQUENCE          
   97:d=3  hl=2 l=  27 cons: SET               
   99:d=4  hl=2 l=  25 cons: SEQUENCE          
  101:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  106:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
  126:d=2  hl=4 l= 288 cons: SEQUENCE          
  130:d=3  hl=2 l=  11 cons: SEQUENCE          
  132:d=4  hl=2 l=   9 prim: OBJECT            :rsassaPss
  143:d=3  hl=4 l= 271 prim: BIT STRING        
  418:d=2  hl=2 l=  38 cons: cont [ 3 ]        
  420:d=3  hl=2 l=  36 cons: SEQUENCE          
  422:d=4  hl=2 l=  18 cons: SEQUENCE          
  424:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  429:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  432:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020100
  442:d=4  hl=2 l=  14 cons: SEQUENCE          
  444:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  449:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  452:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020186
  458:d=1  hl=2 l=  13 cons: SEQUENCE          
  460:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  471:d=2  hl=2 l=   0 prim: NULL              
  473:d=1  hl=4 l= 257 prim: BIT STRING

openssl asn1parse -in cert.pem -strparse 143
    0:d=0  hl=4 l= 266 cons: SEQUENCE          
    4:d=1  hl=4 l= 257 prim: INTEGER           :EDB73F87DEA93A03D40813AAB5ABB69A8FE9357128D4DBE277480BE6D88A9B9836A3E5DCCC9302D13A44AC29DBD0FC94A20DAEC1F21C401AB80BD3450C30337A8598E4F95CBC987573925C85255ADABAD677F69635D243B3DAB54EE4E5D30A1D69DCC97647AFA3083C1B7B3F7F1BAA321156173711E0628CBF6E21B2BCDFDAB7B8F564D491D601773B62B3E74B0029237BBEE7B0F5DD5F758745069E0F179B953457D45E907C8A2FC9FA13A33B78DAE4A4E82FAA61B11B43D3E2D0A0CB6B9E5536D6F7E244516A2FB00AE7883684A1AAEE3916C9930375115669F9D7350E695D43F6246FFCC96A2692076FA0F3A203D3DC017305F27A02E6BB2A532252C7CED7
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

Additional info:

Comment 1 Kai Engert (:kaie) (inactive account) 2017-02-22 18:55:18 UTC

It isn't clear if we'll be able to get these issues fixed for rhel 7.4.0, and who will work on them.

Volunteers welcome.

Bob suggested, it would be good to get the incorrect behavior fixed, because if we ship an incorrect behavior in 7.4.0, it would be difficult to switch to a different behavior in later 7.x releases.

Comment 22 errata-xmlrpc 2018-04-10 09:25:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679

Note You need to log in before you can comment on or make changes to this bug.