1708260 – RSA-PSS keys generated by NSS when exported to PKCS#12 file use the rsaEncryption identifier

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1708260 - RSA-PSS keys generated by NSS when exported to PKCS#12 file use the rsaEncryption identifier

Summary: RSA-PSS keys generated by NSS when exported to PKCS#12 file use the rsaEncryp...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	nss-nspr-maint
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-09 13:22 UTC by Ivan Nikolchev
Modified:	2023-01-04 14:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-15 13:55:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Mozilla Foundation	1665070	--	NEW	RSA-PSS keys generated by NSS when exported to PKCS#12 file use the rsaEncryption identifier	2021-01-08 13:36:06 UTC
Red Hat Bugzilla	1508571	medium	CLOSED	Exporting RSA-PSS keys to PKCS#12 drops the rsa-pss identifier from them [rhel-7]	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	CRYPTO-9237	None	None	None	2023-01-04 14:07:00 UTC
Red Hat Issue Tracker	RHELPLAN-48251	None	None	None	2023-01-04 13:52:43 UTC

Internal Links: 1508571

Description Ivan Nikolchev 2019-05-09 13:22:10 UTC

Description of problem:
When you generate RSA-PSS keys with NSS and later export them to PKCS#12 and inspect the decrypted key, we can see that rsaEncryption OID is used instead of rsassaPss

Version-Release number of selected component (if applicable):
nss-3.41.0-5.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 
Is this a critical extension [y/N]?
y

pk12util -o p12file -n rsaca -d sql:nssdb

Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL

openssl pkcs12 -in p12file -nodes -nocerts > privatekey.pem
openssl asn1parse -in privatekey.pem -inform PEM -strictpem


Actual results:
rsaEncryption OID used

Expected results:
rsassaPss OID used

Additional info:
openssl x509 -noout -text -in cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)
        Issuer: CN = RSA PSS Testing CA
        Validity
            Not Before: May  9 12:23:21 2019 GMT
            Not After : May  9 12:23:21 2020 GMT
        Subject: CN = RSA PSS Testing CA
        Subject Public Key Info:
            Public Key Algorithm: rsassaPss
                RSA-PSS Public-Key: (2048 bit)
                Modulus:
                    00:ce:60:e3:85:33:92:0b:92:fd:b2:13:ed:10:c6:
                    e9:e1:9b:e5:84:78:96:02:4f:d3:6d:78:4d:13:78:
                    06:0a:33:3f:e5:a2:52:15:f4:9a:07:33:0d:73:ae:
                    cc:cd:f1:b4:e3:9e:12:26:fe:b5:d2:6d:e7:7e:5e:
                    3d:ee:b5:b4:6a:e3:93:9e:38:d6:cd:9a:68:4f:96:
                    b3:68:d3:ee:19:e0:2b:e1:7e:d8:35:20:a9:56:89:
                    06:85:3c:47:5d:18:a1:13:9f:3e:c3:8b:64:de:b8:
                    33:1e:29:bd:c1:d3:be:9b:fd:a4:c2:eb:38:f3:50:
                    54:9e:43:fe:97:48:06:c7:39:92:48:ab:a9:02:06:
                    88:26:6d:9f:65:62:15:92:95:9d:f4:19:07:80:00:
                    e6:f3:3e:2a:76:5c:f5:6e:6c:a3:1a:cb:74:b6:43:
                    db:69:b3:f9:a7:fb:76:6f:dd:48:02:e8:88:e2:21:
                    90:94:f0:60:1b:6f:1f:eb:2f:9e:4c:45:f9:61:7c:
                    a0:8c:85:f4:18:e8:52:65:ff:e0:85:02:e9:5c:a1:
                    0d:7d:c8:73:54:c4:f2:d7:1d:29:c2:de:1d:cd:5f:
                    35:d5:7f:27:f8:ef:7e:15:32:cb:26:fc:21:04:18:
                    f0:e9:f0:2a:c8:82:84:d7:d3:8a:46:ad:ac:1a:21:
                    83:ff
                Exponent: 65537 (0x10001)
                PSS parameter restrictions:
                  Hash Algorithm: sha256
                  Mask Algorithm: mgf1 with sha256
                  Minimum Salt Length: 0x20
                  Trailer Field: 0xBC (default)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: rsassaPss         
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
          Salt Length: 0x20
         Trailer Field: 0xBC (default)

         bc:b7:5d:57:56:97:ca:7e:6b:6c:1a:49:e3:e5:57:b3:ad:c9:
         e2:dd:e2:17:f6:3f:d0:76:7c:f7:6d:27:ec:a6:2c:6a:ee:27:
         6c:8d:6c:ad:90:fb:70:26:9f:48:71:c0:69:c3:e6:c0:9f:f4:
         88:77:8f:62:a9:60:5e:5f:40:36:5f:f0:45:3d:de:ea:81:55:
         5c:04:32:d0:72:5a:50:0a:f3:cd:7d:f4:cd:ce:e6:b7:05:d0:
         18:00:ee:14:d7:ce:35:1f:ee:10:f0:fa:26:54:9b:fb:61:14:
         c0:63:3a:6c:8f:77:9b:27:99:82:07:10:a8:38:a5:e2:d8:d5:
         62:55:88:34:a2:8a:0e:1b:2f:83:75:60:0c:44:2e:21:2e:c8:
         7c:83:6b:82:9e:27:f1:94:6b:c4:61:ab:74:23:03:7a:fb:b8:
         3c:fe:1e:43:fb:dc:1b:bb:96:ba:15:29:e3:cd:5a:8d:9f:b5:
         bb:dd:44:49:dc:38:4b:a9:57:86:ad:f1:6f:24:4d:e7:e1:a7:
         7e:b5:d5:b1:e6:b6:dd:0e:d5:bc:ef:ea:35:00:b7:b5:81:b2:
         c0:5a:fe:d2:3c:41:1e:dd:98:13:ef:6a:0d:d3:05:a9:f4:20:
         b2:21:de:e9:38:d3:58:4e:92:0b:85:93:55:53:ed:75:d0:be:
         5e:4b:14:53

Note You need to log in before you can comment on or make changes to this bug.