Closed Bug 1415187 Opened 5 years ago Closed 5 years ago

certutil: Don't restrict RSA-PSS certificate to specific hash algorithm unless -Z is given

Categories

(NSS :: Tools, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Unassigned)

References

Details

Attachments

(1 file)

Currently, certutil always restricts the RSA-PSS parameters in subjectPublicKeyInfo to a specific hash algorithm, following the NIST 800-57 recommendation.  Although this is legitimate, it could make signature algorithm negotiation complicated.

The attached patch changes the default back to not restricting hash algorithm.
Attachment #8925956 - Flags: review?(kaie)
Attachment #8925956 - Flags: review?(hkario)
Comment on attachment 8925956 [details] [diff] [review]
certutil-pss-default.patch

Review of attachment 8925956 [details] [diff] [review]:
-----------------------------------------------------------------

So if I want to create a certificate signed with a specific algorithm, but that is not restricted to making signatures that use the same hashs, I should first create a CSR (without specifying the -Z option) and then sign the CSR (with specifying the -Z option). Is that correct?
Yes.
Attachment #8925956 - Flags: review?(hkario) → review+
(In reply to Daiki Ueno [:ueno] from comment #0)
> The attached patch changes the default back to not restricting hash
> algorithm.

IIUC, you made a change during the NSS 3.34 development cycle, as part of bug 1400844, and you have discovered that one change  could cause problems, and you would like to revert that change.

We should avoid shipping new behavior, if we know it can be problematic.

Because this is a change only to a tool, not library functionality, I think we can justify adding this fix for the NSS 3.34 release, despite the very late timing.
Attachment #8925956 - Flags: review?(kaie) → review+
Landed as:

trunk: https://hg.mozilla.org/projects/nss/rev/0e80229a75b5
3.34: https://hg.mozilla.org/projects/nss/rev/a16be5893246
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.34
You need to log in before you can comment on or make changes to this bug.