Closed
Bug 1341316
Opened 7 years ago
Closed 6 years ago
NSS recognises empty PSS-certificate public key parameters as invalid
Categories
(NSS :: Tools, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.34
People
(Reporter: hkario, Unassigned)
References
Details
When a RSA-PSS certificate is created using certutil, the same tool does not recognise the public key parameters/limitations, reporting "Invalid RSA-PSS parameters":
mkdir nssdb/
certutil -N --empty-password -d sql:nssdb/
dd if=/dev/urandom of=noise bs=1 count=32
certutil -S -z ./noise -n rsaca -s "cn=RSA PSS Testing CA" -t "C,C,C" -m 1000 -Z SHA256 -k rsa -g 2048 -x -v 12 -d sql:nssdb/ --keyUsage digitalSignature,certSigning,crlSigning,critical -2 --pss
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
y
certutil -L -d sql:nssdb/ -n rsaca
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=RSA PSS Testing CA"
Validity:
Not Before: Tue Feb 21 15:05:16 2017
Not After : Wed Feb 21 15:05:16 2018
Subject: "CN=RSA PSS Testing CA"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA-PSS Signature
Parameters:
Invalid RSA-PSS parameters
RSA Public Key:
Modulus:
ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:b6:9a:
8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:8a:9b:98:
36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:db:d0:fc:94:
a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:45:0c:30:33:7a:
85:98:e4:f9:5c:bc:98:75:73:92:5c:85:25:5a:da:ba:
d6:77:f6:96:35:d2:43:b3:da:b5:4e:e4:e5:d3:0a:1d:
69:dc:c9:76:47:af:a3:08:3c:1b:7b:3f:7f:1b:aa:32:
11:56:17:37:11:e0:62:8c:bf:6e:21:b2:bc:df:da:b7:
b8:f5:64:d4:91:d6:01:77:3b:62:b3:e7:4b:00:29:23:
7b:be:e7:b0:f5:dd:5f:75:87:45:06:9e:0f:17:9b:95:
34:57:d4:5e:90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:
a4:e8:2f:aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:
36:d6:f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:
ee:39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:d3:
dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:ce:d7
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with a maximum path length of 0.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:
6c:b4:fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:
44:0c:9b:98:ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:
fc:7e:2b:69:8d:9b:a3:03:14:7b:9f:cb:76:75:d4:e6:
2c:3b:d0:b3:5a:a8:0d:2e:c4:27:fe:dc:35:28:87:6b:
52:05:5a:68:46:3e:44:21:06:9c:77:0e:38:e8:ca:53:
9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:de:35:5f:f8:
7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:2d:6f:
6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:
55:55:dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:
9b:96:59:b8:0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:
69:8e:de:9c:eb:6f:8e:7a:1d:e1:a8:37:f6:ea:68:76:
cd:92:46:0e:92:7f:af:47:cc:2a:27:d1:31:d0:2f:75:
ea:9c:a6:14:86:ea:11:9d:f8:0e:c3:b0:84:c3:9f:b5:
f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:91:d9:bd:01
Fingerprint (SHA-256):
E8:48:C6:D7:A5:41:6D:10:CE:78:E2:8A:2F:DE:7F:D4:91:05:30:FC:51:B9:02:6F:A9:85:14:E9:DD:77:59:59
Fingerprint (SHA1):
24:2F:67:6B:5C:0D:5B:24:16:9D:C7:ED:6B:EC:7F:21:AA:6E:82:9F
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
at the same time, openssl recognises it as "No PSS parameter restrictions":
openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = RSA PSS Testing CA
Validity
Not Before: Feb 21 15:05:16 2017 GMT
Not After : Feb 21 15:05:16 2018 GMT
Subject: CN = RSA PSS Testing CA
Subject Public Key Info:
Public Key Algorithm: rsassaPss
RSA-PSS Public-Key: (2048 bit)
Modulus:
00:ed:b7:3f:87:de:a9:3a:03:d4:08:13:aa:b5:ab:
b6:9a:8f:e9:35:71:28:d4:db:e2:77:48:0b:e6:d8:
8a:9b:98:36:a3:e5:dc:cc:93:02:d1:3a:44:ac:29:
db:d0:fc:94:a2:0d:ae:c1:f2:1c:40:1a:b8:0b:d3:
45:0c:30:33:7a:85:98:e4:f9:5c:bc:98:75:73:92:
5c:85:25:5a:da:ba:d6:77:f6:96:35:d2:43:b3:da:
b5:4e:e4:e5:d3:0a:1d:69:dc:c9:76:47:af:a3:08:
3c:1b:7b:3f:7f:1b:aa:32:11:56:17:37:11:e0:62:
8c:bf:6e:21:b2:bc:df:da:b7:b8:f5:64:d4:91:d6:
01:77:3b:62:b3:e7:4b:00:29:23:7b:be:e7:b0:f5:
dd:5f:75:87:45:06:9e:0f:17:9b:95:34:57:d4:5e:
90:7c:8a:2f:c9:fa:13:a3:3b:78:da:e4:a4:e8:2f:
aa:61:b1:1b:43:d3:e2:d0:a0:cb:6b:9e:55:36:d6:
f7:e2:44:51:6a:2f:b0:0a:e7:88:36:84:a1:aa:ee:
39:16:c9:93:03:75:11:56:69:f9:d7:35:0e:69:5d:
43:f6:24:6f:fc:c9:6a:26:92:07:6f:a0:f3:a2:03:
d3:dc:01:73:05:f2:7a:02:e6:bb:2a:53:22:52:c7:
ce:d7
Exponent: 65537 (0x10001)
No PSS parameter restrictions
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
1c:94:85:0f:61:1b:44:65:57:10:5e:07:e8:d6:58:4c:6c:b4:
fa:86:b7:72:81:4f:ac:1c:b4:78:4f:f1:26:8d:44:0c:9b:98:
ef:c4:fa:04:06:aa:73:3f:b3:08:b9:d1:fc:7e:2b:69:8d:9b:
a3:03:14:7b:9f:cb:76:75:d4:e6:2c:3b:d0:b3:5a:a8:0d:2e:
c4:27:fe:dc:35:28:87:6b:52:05:5a:68:46:3e:44:21:06:9c:
77:0e:38:e8:ca:53:9c:5b:24:e6:38:7b:4e:b8:ab:7a:fa:2f:
de:35:5f:f8:7b:bc:f5:dd:c4:cb:7a:c4:08:7c:14:74:6c:df:
2d:6f:6b:da:ac:f3:d6:5c:98:86:fa:a2:95:74:8f:5b:91:5c:
68:31:38:8a:47:6b:d7:78:f5:4e:5c:3b:02:1f:ae:9f:55:55:
dd:2f:23:b5:49:cb:e9:fc:b3:98:ab:43:c8:3f:9b:96:59:b8:
0e:72:b6:c9:4c:20:7c:3f:43:8b:4c:e3:69:8e:de:9c:eb:6f:
8e:7a:1d:e1:a8:37:f6:ea:68:76:cd:92:46:0e:92:7f:af:47:
cc:2a:27:d1:31:d0:2f:75:ea:9c:a6:14:86:ea:11:9d:f8:0e:
c3:b0:84:c3:9f:b5:f7:60:ba:61:bc:0f:fb:3b:6a:98:1d:3f:
91:d9:bd:01
but looking at ASN.1 decoding, it looks like they are simply missing:
openssl asn1parse -in cert.pem
0:d=0 hl=4 l= 730 cons: SEQUENCE
4:d=1 hl=4 l= 450 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 2 prim: INTEGER :03E8
17:d=2 hl=2 l= 13 cons: SEQUENCE
19:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
30:d=3 hl=2 l= 0 prim: NULL
32:d=2 hl=2 l= 29 cons: SEQUENCE
34:d=3 hl=2 l= 27 cons: SET
36:d=4 hl=2 l= 25 cons: SEQUENCE
38:d=5 hl=2 l= 3 prim: OBJECT :commonName
43:d=5 hl=2 l= 18 prim: PRINTABLESTRING :RSA PSS Testing CA
63:d=2 hl=2 l= 30 cons: SEQUENCE
65:d=3 hl=2 l= 13 prim: UTCTIME :170221150516Z
80:d=3 hl=2 l= 13 prim: UTCTIME :180221150516Z
95:d=2 hl=2 l= 29 cons: SEQUENCE
97:d=3 hl=2 l= 27 cons: SET
99:d=4 hl=2 l= 25 cons: SEQUENCE
101:d=5 hl=2 l= 3 prim: OBJECT :commonName
106:d=5 hl=2 l= 18 prim: PRINTABLESTRING :RSA PSS Testing CA
126:d=2 hl=4 l= 288 cons: SEQUENCE
130:d=3 hl=2 l= 11 cons: SEQUENCE
132:d=4 hl=2 l= 9 prim: OBJECT :rsassaPss
143:d=3 hl=4 l= 271 prim: BIT STRING
418:d=2 hl=2 l= 38 cons: cont [ 3 ]
420:d=3 hl=2 l= 36 cons: SEQUENCE
422:d=4 hl=2 l= 18 cons: SEQUENCE
424:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
429:d=5 hl=2 l= 1 prim: BOOLEAN :255
432:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020100
442:d=4 hl=2 l= 14 cons: SEQUENCE
444:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
449:d=5 hl=2 l= 1 prim: BOOLEAN :255
452:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020186
458:d=1 hl=2 l= 13 cons: SEQUENCE
460:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
471:d=2 hl=2 l= 0 prim: NULL
473:d=1 hl=4 l= 257 prim: BIT STRING
openssl asn1parse -in cert.pem -strparse 143
0:d=0 hl=4 l= 266 cons: SEQUENCE
4:d=1 hl=4 l= 257 prim: INTEGER :EDB73F87DEA93A03D40813AAB5ABB69A8FE9357128D4DBE277480BE6D88A9B9836A3E5DCCC9302D13A44AC29DBD0FC94A20DAEC1F21C401AB80BD3450C30337A8598E4F95CBC987573925C85255ADABAD677F69635D243B3DAB54EE4E5D30A1D69DCC97647AFA3083C1B7B3F7F1BAA321156173711E0628CBF6E21B2BCDFDAB7B8F564D491D601773B62B3E74B0029237BBEE7B0F5DD5F758745069E0F179B953457D45E907C8A2FC9FA13A33B78DAE4A4E82FAA61B11B43D3E2D0A0CB6B9E5536D6F7E244516A2FB00AE7883684A1AAEE3916C9930375115669F9D7350E695D43F6246FFCC96A2692076FA0F3A203D3DC017305F27A02E6BB2A532252C7CED7
265:d=1 hl=2 l= 3 prim: INTEGER :010001
Which is correct according to https://tools.ietf.org/html/rfc4055#section-3:
When RSASSA-PSS is used in an AlgorithmIdentifier, the parameters
MUST employ the RSASSA-PSS-params syntax. The parameters may be
either absent or present when used as subject public key information.
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 1•6 years ago
|
||
This should be fixed as part of bug 1400844: $ certutil -L -d sql:nssdb/ -n rsaca Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=RSA PSS Testing CA" Validity: Not Before: Thu Oct 26 16:02:17 2017 Not After : Fri Oct 26 16:02:17 2018 Subject: "CN=RSA PSS Testing CA" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA-PSS Signature RSA Public Key: ... Note that it is no longer possible to create a certificate with empty RSA-PSS parameters and you will have to use an older NSS release to create a test certificate.
Depends on: 1400844
|
Reporter | |
Comment 2•6 years ago
|
||
(In reply to Daiki Ueno [:ueno] from comment #1) > Note that it is no longer possible to create a certificate with empty > RSA-PSS parameters But non-empty RSA-PSS parameters mean that the certificate can be used to create signatures only with hash specified in parameters (or SHA-1, if hash is left as default). Given how much this complicates TLS signature algorithm negotiation, I don't think this is something we want to do...
|
|
||
Comment 3•6 years ago
|
||
Is there any other tool that has an ability to create a certificate with empty RSA-PSS parameters? I am sure GnuTLS (certtool) doesn't, as it even refuses to create an RSA-PSS certificate usable with SHA-1.
|
|
Reporter | |
Comment 4•6 years ago
|
||
openssl does that by default
|
|
||
Comment 5•6 years ago
|
||
The new behavior of certutils is, if -Z option is not specified, it determines a suitable hash algorithm according to the NIST 800-57 recommendation for the appropriate RSA key sizes: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf While empty RSA-PSS parameters allow the CA to use any hash algorithms, it also allows the use of weaker hash algorithms that could negate the security.
|
|
Reporter | |
Comment 6•6 years ago
|
||
And for CA the RFC actually recommends to do that. But I'm talking about EE certificates.
|
|
||
Comment 7•6 years ago
|
||
Special casing based on whether the certificate is CA or EE would make the tool much more complicated. Even if it is about EE certificates, (In reply to Hubert Kario from comment #2) > Given how much this complicates TLS signature algorithm negotiation, I don't understand why this complicates TLS signature algorithm negotiation. Could you elaborate on that?
|
|
Reporter | |
Comment 8•6 years ago
|
||
(In reply to Daiki Ueno [:ueno] from comment #7) > Special casing based on whether the certificate is CA or EE would make the > tool much more complicated. then it's probably better to not add the restrictions in both cases > (In reply to Hubert Kario from comment #2) > > Given how much this complicates TLS signature algorithm negotiation, > > I don't understand why this complicates TLS signature algorithm negotiation. > Could you elaborate on that? a server has a RSA-PSS certificate with limitation to SHA512 some IoT widget connects to it that has hardware implementation of only SHA-256 because it doesn't have the silicon space or the energy budget for anything additional, so it correctly sends in Client Hello only signature algorithms with SHA-256. The server cannot use the certificate for signing as it is limited to SHA512, so the connection has to be aborted. Now, the server can have a second certificate (say, an ECDSA cert) and use it as a fallback. But then it needs to select different ciphersuite and signature algorithm. ← this is the "complicates TLS signature algorithm negotiation"
|
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.34
You need to log in
before you can comment on or make changes to this bug.
Description
•