Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: can't verify signature on RSA-PSS certificate requests it created #45990

Open
ycongal-smile opened this issue May 6, 2021 · 5 comments · May be fixed by #46029
Open

crypto/x509: can't verify signature on RSA-PSS certificate requests it created #45990

ycongal-smile opened this issue May 6, 2021 · 5 comments · May be fixed by #46029

Comments

@ycongal-smile
Copy link

@ycongal-smile ycongal-smile commented May 6, 2021

What version of Go are you using (go version)?

 $ $GODIR/bin/go version
go version devel go1.17-1108cbe60b Thu May 6 02:21:55 2021 +0000 linux/amd64

(Freshly compiled from master)

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
 $ $GODIR/bin/go env |sed "s,$HOME,\$HOME,"
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="$HOME/.cache/go-build"
GOENV="$HOME/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="$HOME/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="$HOME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="$HOME/Documents/projets/misc/bug_go_pss/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="$HOME/Documents/projets/misc/bug_go_pss/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="devel go1.17-1108cbe60b Thu May 6 02:21:55 2021 +0000"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="$HOME/Documents/projets/misc/bug_go_pss/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3149370505=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I created a RSA-PSS CertificateRequest and tried to check its signature.

Here is a simple test program : https://play.golang.org/p/TGNgUYvNH5o

It can also be reproduced with the tests from crypto/x509/x509_test.go :

From 6d9c39291cf2d3b6de10b0889d7d1baa72c81d93 Mon Sep 17 00:00:00 2001
From: Yoann Congal <yoann.congal@smile.fr>
Date: Thu, 6 May 2021 11:39:29 +0200
Subject: [PATCH] crypto/x509: add test for RSA-PSS CertificateRequest

---
 src/crypto/x509/x509_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 51dda16815..5314a99cf7 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -1390,6 +1390,7 @@ func TestCreateCertificateRequest(t *testing.T) {
 		sigAlgo SignatureAlgorithm
 	}{
 		{"RSA", testPrivateKey, SHA1WithRSA},
+		{"RSA-256-PSS", testPrivateKey, SHA256WithRSAPSS},
 		{"ECDSA-256", ecdsa256Priv, ECDSAWithSHA1},
 		{"ECDSA-384", ecdsa384Priv, ECDSAWithSHA1},
 		{"ECDSA-521", ecdsa521Priv, ECDSAWithSHA1},
-- 
2.20.1

What did you expect to see?

Program should display "OK" and the test should be OK.

What did you see instead?

Program panicked and test failed : csr.CheckSignature() returned an error instead of nil which would mean a verified signature.

@seankhliao seankhliao changed the title crypto/x509 can't verify signature on RSA-PSS certificate requests it created crypto/x509: can't verify signature on RSA-PSS certificate requests it created May 6, 2021
@ycongal-smile
Copy link
Author

@ycongal-smile ycongal-smile commented May 6, 2021

I've tracked down the check that fail the verification :

// 4. If the rightmost octet of EM does not have hexadecimal value

106 func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
.../...
132     // 4.  If the rightmost octet of EM does not have hexadecimal value
133     //     0xbc, output "inconsistent" and stop.
134     if em[emLen-1] != 0xbc {
135         return ErrVerification
136     }
@ycongal-smile
Copy link
Author

@ycongal-smile ycongal-smile commented May 6, 2021

I've checked the output of x509.CreateCertificateRequest against OpenSSL : It fails. So I bet that the bug is on the creation side.

 $ openssl req -verify -inform der < go_test.csr.der 
verify failure
139692742198400:error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid:../crypto/rsa/rsa_pss.c:88:
139692742198400:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

EDIT : I've checked that a RSA-PSS CSR created by OpenSSL was correctly verified by csr.CheckSignature().

@ycongal-smile
Copy link
Author

@ycongal-smile ycongal-smile commented May 6, 2021

It seems that rsa.SignPKCS1v15() is called instead of rsa.SignPSS().

Here is the backtrace got by step through crypto/x509.CreateCertificateRequest :

0  0x00000000004f2a72 in crypto/rsa.SignPKCS1v15
   at ./go/src/crypto/rsa/pkcs1v15.go:231
1  0x00000000004f5b46 in crypto/rsa.(*PrivateKey).Sign
   at ./go/src/crypto/rsa/rsa.go:149
2  0x00000000005561d4 in crypto/x509.CreateCertificateRequest
   at ./go/src/crypto/x509/x509.go:2646
ycongal-smile added a commit to ycongal-smile/go that referenced this issue May 6, 2021
ycongal-smile added a commit to ycongal-smile/go that referenced this issue May 6, 2021
In case of a RSA-PSS algorithm, the hashFunc of CreateCertificateRequest
is embedded in a rsa.PSSOptions struct. Given to key.Sign(), this will
generate a proper RSA-PSS signature.

Pasted from the RSA-PSS handling code in CreateCertificate()

Fixes golang#45990
@ycongal-smile
Copy link
Author

@ycongal-smile ycongal-smile commented May 6, 2021

I found a fix (#46029). I just need to get the CLA signed (hence the draft status of the PR)

@networkimprov
Copy link

@networkimprov networkimprov commented May 16, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants