Closed Bug 1341316 Opened 8 years ago Closed 7 years ago

NSS recognises empty PSS-certificate public key parameters as invalid

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Version:
3.29
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hkario, Unassigned)

References

Details

When a RSA-PSS certificate is created using certutil, the same tool does not recognise the public key parameters/limitations, reporting "Invalid RSA-PSS parameters": mkdir nssdb/ certutil -N --empty-password -d sql:nssdb/ dd if=/dev/urandom of=noise bs=1 count=32 certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss Generating key. This may take a few moments... Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0 Is this a critical extension [y/N]? y certutil -L -d sql:nssdb/ -n rsaca Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=RSA PSS Testing CA" Validity: Not Before: Tue Feb 21 15:05:16 2017 Not After : Wed Feb 21 15:05:16 2018 Subject: "CN=RSA PSS Testing CA" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA-PSS Signature Parameters: Invalid RSA-PSS parameters RSA Public Key: Modulus: ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a: 8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98: 36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94: a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a: 85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba: d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d: 69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32: 11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7: b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23: 7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95: 34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4: a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55: 36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa: ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d: 43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3: dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Critical: True Data: Is a CA with a maximum path length of 0. Name: Certificate Key Usage Critical: True Usages: Digital Signature Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c: 6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d: 44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1: fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6: 2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b: 52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53: 9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8: 7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f: 6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c: 68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f: 55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f: 9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3: 69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76: cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75: ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5: f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01 Fingerprint (SHA-256): E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59 Fingerprint (SHA1): 24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User at the same time, openssl recognises it as "No PSS parameter restrictions": openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = RSA PSS Testing CA Validity Not Before: Feb 21 15:05:16 2017 GMT Not After : Feb 21 15:05:16 2018 GMT Subject: CN = RSA PSS Testing CA Subject Public Key Info: Public Key Algorithm: rsassaPss RSA-PSS Public-Key: (2048 bit) Modulus: 00:ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab: b6:9a:8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8: 8a:9b:98:36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29: db:d0:fc:94:a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3: 45:0c:30:33:7a:85:98:e4:f9:5c:bc:98:75:73:92: 5c:85:25:5a:da:ba:d6:77:f6:96:35:d2:43:b3:da: b5:4e:e4:e5:d3:0a:1d:69:dc:c9:76:47:af:a3:08: 3c:1b:7b:3f:7f:1b:aa:32:11:56:17:37:11:e0:62: 8c:bf:6e:21:b2:bc:df:da:b7:b8:f5:64:d4:91:d6: 01:77:3b:62:b3:e7:4b:00:29:23:7b:be:e7:b0:f5: dd:5f:75:87:45:06:9e:0f:17:9b:95:34:57:d4:5e: 90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:a4:e8:2f: aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:36:d6: f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:ee: 39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d: 43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03: d3:dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7: ce:d7 Exponent: 65537 (0x10001) No PSS parameter restrictions X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:6c:b4: fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:44:0c:9b:98: ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:fc:7e:2b:69:8d:9b: a3:03:14:7b:9f:cb:76:75:d4:e6:2c:3b:d0:b3:5a:a8:0d:2e: c4:27:fe:dc:35:28:87:6b:52:05:5a:68:46:3e:44:21:06:9c: 77:0e:38:e8:ca:53:9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f: de:35:5f:f8:7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df: 2d:6f:6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c: 68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:55:55: dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:9b:96:59:b8: 0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:69:8e:de:9c:eb:6f: 8e:7a:1d:e1:a8:37:f6:ea:68:76:cd:92:46:0e:92:7f:af:47: cc:2a:27:d1:31:d0:2f:75:ea:9c:a6:14:86:ea:11:9d:f8:0e: c3:b0:84:c3:9f:b5:f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f: 91:d9:bd:01 but looking at ASN.1 decoding, it looks like they are simply missing: openssl asn1parse -in cert.pem 0:d=0 hl=4 l= 730 cons: SEQUENCE 4:d=1 hl=4 l= 450 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 2 prim: INTEGER :03E8 17:d=2 hl=2 l= 13 cons: SEQUENCE 19:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 30:d=3 hl=2 l= 0 prim: NULL 32:d=2 hl=2 l= 29 cons: SEQUENCE 34:d=3 hl=2 l= 27 cons: SET 36:d=4 hl=2 l= 25 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT :commonName 43:d=5 hl=2 l= 18 prim: PRINTABLESTRING :RSA PSS Testing CA 63:d=2 hl=2 l= 30 cons: SEQUENCE 65:d=3 hl=2 l= 13 prim: UTCTIME :170221150516Z 80:d=3 hl=2 l= 13 prim: UTCTIME :180221150516Z 95:d=2 hl=2 l= 29 cons: SEQUENCE 97:d=3 hl=2 l= 27 cons: SET 99:d=4 hl=2 l= 25 cons: SEQUENCE 101:d=5 hl=2 l= 3 prim: OBJECT :commonName 106:d=5 hl=2 l= 18 prim: PRINTABLESTRING :RSA PSS Testing CA 126:d=2 hl=4 l= 288 cons: SEQUENCE 130:d=3 hl=2 l= 11 cons: SEQUENCE 132:d=4 hl=2 l= 9 prim: OBJECT :rsassaPss 143:d=3 hl=4 l= 271 prim: BIT STRING 418:d=2 hl=2 l= 38 cons: cont [ 3 ] 420:d=3 hl=2 l= 36 cons: SEQUENCE 422:d=4 hl=2 l= 18 cons: SEQUENCE 424:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 429:d=5 hl=2 l= 1 prim: BOOLEAN :255 432:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020100 442:d=4 hl=2 l= 14 cons: SEQUENCE 444:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 449:d=5 hl=2 l= 1 prim: BOOLEAN :255 452:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020186 458:d=1 hl=2 l= 13 cons: SEQUENCE 460:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 471:d=2 hl=2 l= 0 prim: NULL 473:d=1 hl=4 l= 257 prim: BIT STRING openssl asn1parse -in cert.pem -strparse 143 0:d=0 hl=4 l= 266 cons: SEQUENCE 4:d=1 hl=4 l= 257 prim: INTEGER :EDB73F87DEA93A03D40813AAB5ABB69A8FE9357128D4DBE277480BE6D88A9B9836A3E5DCCC9302D13A44AC29DBD0FC94A20DAEC1F21C401AB80BD3450C30337A8598E4F95CBC987573925C85255ADABAD677F69635D243B3DAB54EE4E5D30A1D69DCC97647AFA3083C1B7B3F7F1BAA321156173711E0628CBF6E21B2BCDFDAB7B8F564D491D601773B62B3E74B0029237BBEE7B0F5DD5F758745069E0F179B953457D45E907C8A2FC9FA13A33B78DAE4A4E82FAA61B11B43D3E2D0A0CB6B9E5536D6F7E244516A2FB00AE7883684A1AAEE3916C9930375115669F9D7350E695D43F6246FFCC96A2692076FA0F3A203D3DC017305F27A02E6BB2A532252C7CED7 265:d=1 hl=2 l= 3 prim: INTEGER :010001 Which is correct according to https://tools.ietf.org/html/rfc4055#section-3: When RSASSA-PSS is used in an AlgorithmIdentifier, the parameters MUST employ the RSASSA-PSS-params syntax. The parameters may be either absent or present when used as subject public key information.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This should be fixed as part of bug 1400844: $ certutil -L -d sql:nssdb/ -n rsaca Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=RSA PSS Testing CA" Validity: Not Before: Thu Oct 26 16:02:17 2017 Not After : Fri Oct 26 16:02:17 2018 Subject: "CN=RSA PSS Testing CA" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA-PSS Signature RSA Public Key: ... Note that it is no longer possible to create a certificate with empty RSA-PSS parameters and you will have to use an older NSS release to create a test certificate.
Depends on: 1400844
(In reply to Daiki Ueno [:ueno] from comment #1) > Note that it is no longer possible to create a certificate with empty > RSA-PSS parameters But non-empty RSA-PSS parameters mean that the certificate can be used to create signatures only with hash specified in parameters (or SHA-1, if hash is left as default). Given how much this complicates TLS signature algorithm negotiation, I don't think this is something we want to do...
Is there any other tool that has an ability to create a certificate with empty RSA-PSS parameters? I am sure GnuTLS (certtool) doesn't, as it even refuses to create an RSA-PSS certificate usable with SHA-1.
openssl does that by default
The new behavior of certutils is, if -Z option is not specified, it determines a suitable hash algorithm according to the NIST 800-57 recommendation for the appropriate RSA key sizes: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf While empty RSA-PSS parameters allow the CA to use any hash algorithms, it also allows the use of weaker hash algorithms that could negate the security.
And for CA the RFC actually recommends to do that. But I'm talking about EE certificates.
Special casing based on whether the certificate is CA or EE would make the tool much more complicated. Even if it is about EE certificates, (In reply to Hubert Kario from comment #2) > Given how much this complicates TLS signature algorithm negotiation, I don't understand why this complicates TLS signature algorithm negotiation. Could you elaborate on that?
(In reply to Daiki Ueno [:ueno] from comment #7) > Special casing based on whether the certificate is CA or EE would make the > tool much more complicated. then it's probably better to not add the restrictions in both cases > (In reply to Hubert Kario from comment #2) > > Given how much this complicates TLS signature algorithm negotiation, > > I don't understand why this complicates TLS signature algorithm negotiation. > Could you elaborate on that? a server has a RSA-PSS certificate with limitation to SHA512 some IoT widget connects to it that has hardware implementation of only SHA-256 because it doesn't have the silicon space or the energy budget for anything additional, so it correctly sends in Client Hello only signature algorithms with SHA-256. The server cannot use the certificate for signing as it is limited to SHA512, so the connection has to be aborted. Now, the server can have a second certificate (say, an ECDSA cert) and use it as a fallback. But then it needs to select different ciphersuite and signature algorithm. ← this is the "complicates TLS signature algorithm negotiation"
See Also: → 1415187
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.34
You need to log in before you can comment on or make changes to this bug.