Closed Bug 1341316 Opened 6 years ago Closed 5 years ago

NSS recognises empty PSS-certificate public key parameters as invalid

Categories

(NSS :: Tools, defect)

3.29
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hkario, Unassigned)

References

Details

When a RSA-PSS certificate is created using certutil, the same tool does not recognise the public key parameters/limitations, reporting "Invalid RSA-PSS parameters":


mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
y


certutil -L -d sql:nssdb/ -n rsaca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=RSA PSS Testing CA"
        Validity:
            Not Before: Tue Feb 21 15:05:16 2017
            Not After : Wed Feb 21 15:05:16 2018
        Subject: "CN=RSA PSS Testing CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
                Parameters:
                    Invalid RSA-PSS parameters
            RSA Public Key:
                Modulus:
                    ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a:
                    8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98:
                    36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94:
                    a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a:
                    85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba:
                    d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d:
                    69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32:
                    11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7:
                    b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23:
                    7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95:
                    34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:
                    a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:
                    36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:
                    ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3:
                    dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 0.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:
        6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:
        44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:
        fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6:
        2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b:
        52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53:
        9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8:
        7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f:
        6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
        68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:
        55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:
        9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:
        69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76:
        cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75:
        ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5:
        f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01
    Fingerprint (SHA-256):
        E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59
    Fingerprint (SHA1):
        24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User



at the same time, openssl recognises it as "No PSS parameter restrictions":

openssl x509 -in cert.pem -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = RSA PSS Testing CA
        Validity
            Not Before: Feb 21 15:05:16 2017 GMT
            Not After : Feb 21 15:05:16 2018 GMT
        Subject: CN = RSA PSS Testing CA
        Subject Public Key Info:
            Public Key Algorithm: rsassaPss
                RSA-PSS Public-Key: (2048 bit)
                Modulus:
                    00:ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:
                    b6:9a:8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:
                    8a:9b:98:36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:
                    db:d0:fc:94:a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:
                    45:0c:30:33:7a:85:98:e4:f9:5c:bc:98:75:73:92:
                    5c:85:25:5a:da:ba:d6:77:f6:96:35:d2:43:b3:da:
                    b5:4e:e4:e5:d3:0a:1d:69:dc:c9:76:47:af:a3:08:
                    3c:1b:7b:3f:7f:1b:aa:32:11:56:17:37:11:e0:62:
                    8c:bf:6e:21:b2:bc:df:da:b7:b8:f5:64:d4:91:d6:
                    01:77:3b:62:b3:e7:4b:00:29:23:7b:be:e7:b0:f5:
                    dd:5f:75:87:45:06:9e:0f:17:9b:95:34:57:d4:5e:
                    90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:a4:e8:2f:
                    aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:36:d6:
                    f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:ee:
                    39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
                    43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:
                    d3:dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:
                    ce:d7
                Exponent: 65537 (0x10001)
                No PSS parameter restrictions
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:6c:b4:
         fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:44:0c:9b:98:
         ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:fc:7e:2b:69:8d:9b:
         a3:03:14:7b:9f:cb:76:75:d4:e6:2c:3b:d0:b3:5a:a8:0d:2e:
         c4:27:fe:dc:35:28:87:6b:52:05:5a:68:46:3e:44:21:06:9c:
         77:0e:38:e8:ca:53:9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:
         de:35:5f:f8:7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:
         2d:6f:6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
         68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:55:55:
         dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:9b:96:59:b8:
         0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:69:8e:de:9c:eb:6f:
         8e:7a:1d:e1:a8:37:f6:ea:68:76:cd:92:46:0e:92:7f:af:47:
         cc:2a:27:d1:31:d0:2f:75:ea:9c:a6:14:86:ea:11:9d:f8:0e:
         c3:b0:84:c3:9f:b5:f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:
         91:d9:bd:01

but looking at ASN.1 decoding, it looks like they are simply missing:

openssl asn1parse -in cert.pem 
    0:d=0  hl=4 l= 730 cons: SEQUENCE          
    4:d=1  hl=4 l= 450 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   2 prim: INTEGER           :03E8
   17:d=2  hl=2 l=  13 cons: SEQUENCE          
   19:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   30:d=3  hl=2 l=   0 prim: NULL              
   32:d=2  hl=2 l=  29 cons: SEQUENCE          
   34:d=3  hl=2 l=  27 cons: SET               
   36:d=4  hl=2 l=  25 cons: SEQUENCE          
   38:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   43:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
   63:d=2  hl=2 l=  30 cons: SEQUENCE          
   65:d=3  hl=2 l=  13 prim: UTCTIME           :170221150516Z
   80:d=3  hl=2 l=  13 prim: UTCTIME           :180221150516Z
   95:d=2  hl=2 l=  29 cons: SEQUENCE          
   97:d=3  hl=2 l=  27 cons: SET               
   99:d=4  hl=2 l=  25 cons: SEQUENCE          
  101:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  106:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :RSA PSS Testing CA
  126:d=2  hl=4 l= 288 cons: SEQUENCE          
  130:d=3  hl=2 l=  11 cons: SEQUENCE          
  132:d=4  hl=2 l=   9 prim: OBJECT            :rsassaPss
  143:d=3  hl=4 l= 271 prim: BIT STRING        
  418:d=2  hl=2 l=  38 cons: cont [ 3 ]        
  420:d=3  hl=2 l=  36 cons: SEQUENCE          
  422:d=4  hl=2 l=  18 cons: SEQUENCE          
  424:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  429:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  432:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020100
  442:d=4  hl=2 l=  14 cons: SEQUENCE          
  444:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  449:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  452:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020186
  458:d=1  hl=2 l=  13 cons: SEQUENCE          
  460:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  471:d=2  hl=2 l=   0 prim: NULL              
  473:d=1  hl=4 l= 257 prim: BIT STRING

openssl asn1parse -in cert.pem -strparse 143
    0:d=0  hl=4 l= 266 cons: SEQUENCE          
    4:d=1  hl=4 l= 257 prim: INTEGER           :EDB73F87DEA93A03D40813AAB5ABB69A8FE9357128D4DBE277480BE6D88A9B9836A3E5DCCC9302D13A44AC29DBD0FC94A20DAEC1F21C401AB80BD3450C30337A8598E4F95CBC987573925C85255ADABAD677F69635D243B3DAB54EE4E5D30A1D69DCC97647AFA3083C1B7B3F7F1BAA321156173711E0628CBF6E21B2BCDFDAB7B8F564D491D601773B62B3E74B0029237BBEE7B0F5DD5F758745069E0F179B953457D45E907C8A2FC9FA13A33B78DAE4A4E82FAA61B11B43D3E2D0A0CB6B9E5536D6F7E244516A2FB00AE7883684A1AAEE3916C9930375115669F9D7350E695D43F6246FFCC96A2692076FA0F3A203D3DC017305F27A02E6BB2A532252C7CED7
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

Which is correct according to https://tools.ietf.org/html/rfc4055#section-3:


   When RSASSA-PSS is used in an AlgorithmIdentifier, the parameters
   MUST employ the RSASSA-PSS-params syntax.  The parameters may be
   either absent or present when used as subject public key information.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This should be fixed as part of bug 1400844:

$ certutil -L -d sql:nssdb/ -n rsaca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=RSA PSS Testing CA"
        Validity:
            Not Before: Thu Oct 26 16:02:17 2017
            Not After : Fri Oct 26 16:02:17 2018
        Subject: "CN=RSA PSS Testing CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
            RSA Public Key:
...

Note that it is no longer possible to create a certificate with empty RSA-PSS parameters and you will have to use an older NSS release to create a test certificate.
Depends on: 1400844
(In reply to Daiki Ueno [:ueno] from comment #1)
> Note that it is no longer possible to create a certificate with empty
> RSA-PSS parameters

But non-empty RSA-PSS parameters mean that the certificate can be used to create signatures only with hash specified in parameters (or SHA-1, if hash is left as default).

Given how much this complicates TLS signature algorithm negotiation, I don't think this is something we want to do...
Is there any other tool that has an ability to create a certificate with empty RSA-PSS parameters?  I am sure GnuTLS (certtool) doesn't, as it even refuses to create an RSA-PSS certificate usable with SHA-1.
openssl does that by default
The new behavior of certutils is, if -Z option is not specified, it determines a suitable hash algorithm according to the NIST 800-57 recommendation for the appropriate RSA key sizes:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

While empty RSA-PSS parameters allow the CA to use any hash algorithms, it also allows the use of weaker hash algorithms that could negate the security.
And for CA the RFC actually recommends to do that. But I'm talking about EE certificates.
Special casing based on whether the certificate is CA or EE would make the tool much more complicated.

Even if it is about EE certificates,

(In reply to Hubert Kario from comment #2)
> Given how much this complicates TLS signature algorithm negotiation,

I don't understand why this complicates TLS signature algorithm negotiation.  Could you elaborate on that?
(In reply to Daiki Ueno [:ueno] from comment #7)
> Special casing based on whether the certificate is CA or EE would make the
> tool much more complicated.

then it's probably better to not add the restrictions in both cases

> (In reply to Hubert Kario from comment #2)
> > Given how much this complicates TLS signature algorithm negotiation,
> 
> I don't understand why this complicates TLS signature algorithm negotiation.
> Could you elaborate on that?

a server has a RSA-PSS certificate with limitation to SHA512

some IoT widget connects to it that has hardware implementation of only SHA-256 because it doesn't have the silicon space or the energy budget for anything additional, so it correctly sends in Client Hello only signature algorithms with SHA-256.

The server cannot use the certificate for signing as it is limited to SHA512, so the connection has to be aborted.

Now, the server can have a second certificate (say, an ECDSA cert) and use it as a fallback. But then it needs to select different ciphersuite and signature algorithm. ← this is the "complicates TLS signature algorithm negotiation"
See Also: → 1415187
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.34
You need to log in before you can comment on or make changes to this bug.