crypto/x509: wrong crypto.SignerOpts provided to Sign() in case of PSS signature #65074
Description
Go version
go1.21.6 windows/amd64
Output of go env in your module/workspace:
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\foobar\AppData\Local\go-build
set GOENV=C:\Users\foobar\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\foobar\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\foobar\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.21.6
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\foobar\DEV\golang\test\go.mod
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\msys64\tmp\go-build1733842517=/tmp/go-build -gno-record-gcc-switchesWhat did you do?
Create Certificate Signing Request with x509 package utilizing PSS signature:
template := x509.CertificateRequest{
Subject: subj,
SignatureAlgorithm: x509.SHA256WithRSAPSS,
}
csr, _ := x509.CreateCertificateRequest(rand.Reader, &template, privKey)
What did you see happen?
hashFunc is provided as parameter to Sign() function which wrongly leads to PKCS#1_v1.5 signature: https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L2114
What did you expect to see?
hashFunc embedded in rsa.PSSOptions{} struct to be provided as parameter to Sign() function which correctly leads to PSS signature, like already correctly done in x509.CreateCertificate() function: https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1689