1341306 - NSS will self-sign a RSA-PSS certificate using RSASSA-PKCS1-v1_5

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P3)

Description

[Alicja Kario]

When certutil is used to self-sign a certificate, it creates a certificate with RSASSA-PKCS#1-v1.5 signature:



mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
y



certutil -L -d sql:nssdb/ -n rsaca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=RSA PSS Testing CA"
        Validity:
            Not Before: Tue Feb 21 15:05:16 2017
            Not After : Wed Feb 21 15:05:16 2018
        Subject: "CN=RSA PSS Testing CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
                Parameters:
                    Invalid RSA-PSS parameters
            RSA Public Key:
                Modulus:
                    ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a:
                    8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98:
                    36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94:
                    a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a:
                    85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba:
                    d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d:
                    69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32:
                    11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7:
                    b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23:
                    7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95:
                    34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:
                    a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:
                    36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:
                    ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3:
                    dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 0.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:
        6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:
        44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:
        fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6:
        2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b:
        52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53:
        9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8:
        7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f:
        6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
        68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:
        55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:
        9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:
        69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76:
        cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75:
        ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5:
        f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01
    Fingerprint (SHA-256):
        E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59
    Fingerprint (SHA1):
        24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User

Comment 1

[Kai Engert [:KaiE:]]

Hubert, your bug report isn't clear.

Could you please clarify:

- what is wrong?

- what is your expectation?

Comment 2

[Alicja Kario]

Per RFC 4055:
   When the RSA private key owner wishes to limit the use of the public
   key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object
   identifier MUST be used in the algorithm field within the subject
   public key information, and, if present, the parameters field MUST
   contain RSASSA-PSS-params. 

In other words, if the certificate has a public key of type "PKCS #1 RSA-PSS Signature", any "PKCS #1 SHA-256 With RSA Encryption" (RSASSA-PKCS#1 v1.5) signature it makes is invalid by definition.

If just the --pss option is passed to certutil, certutil should create a well-formed RSA-PSS certificate - that is, one that has RSA-PSS parameters and RSA-PSS signature.

Creating such malformed certificates, like it does now, may remain possible to allow for testing, but I don't think it should be the default behaviour, or it shouldn't be possible without use of explicit option stating what signature type should be used.