Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: wrong crypto.SignerOpts provided to Sign() in case of PSS signature #65074

Closed
phlipse opened this issue Jan 12, 2024 · 4 comments
Closed

crypto/x509: wrong crypto.SignerOpts provided to Sign() in case of PSS signature #65074

phlipse opened this issue Jan 12, 2024 · 4 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.23

Comments

@phlipse
Copy link

phlipse commented Jan 12, 2024

Go version

go1.21.6 windows/amd64

Output of go env in your module/workspace:

set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\foobar\AppData\Local\go-build
set GOENV=C:\Users\foobar\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\foobar\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\foobar\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.21.6
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\foobar\DEV\golang\test\go.mod
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\msys64\tmp\go-build1733842517=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create Certificate Signing Request with x509 package utilizing PSS signature:

template := x509.CertificateRequest{
    Subject:            subj,
    SignatureAlgorithm: x509.SHA256WithRSAPSS,
}
csr, _ := x509.CreateCertificateRequest(rand.Reader, &template, privKey)

What did you see happen?

hashFunc is provided as parameter to Sign() function which wrongly leads to PKCS#1_v1.5 signature: https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L2114

What did you expect to see?

hashFunc embedded in rsa.PSSOptions{} struct to be provided as parameter to Sign() function which correctly leads to PSS signature, like already correctly done in x509.CreateCertificate() function: https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1689
@phlipse phlipse changed the title crypto/x509: issue title crypto/x509: wrong crypto.SignerOpts provided to Sign() in case of PSS signature Jan 12, 2024
@callthingsoff callthingsoff mentioned this issue Jan 12, 2024
Closed
@gopherbot
Copy link

Change https://go.dev/cl/555595 mentions this issue: crypto/x509: provide correct crypto.SignerOpts to Sign()

@dmitshur
Copy link
Contributor

CC @golang/security.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 12, 2024
@dmitshur dmitshur added this to the Backlog milestone Jan 12, 2024
@ycongal-smile
Copy link
Contributor

This issue is a duplicate of #45990

@ycongal-smile ycongal-smile mentioned this issue Jan 15, 2024
Closed
@ycongal-smile ycongal-smile mentioned this issue Apr 21, 2024
Closed
@gopherbot
Copy link

Change https://go.dev/cl/431916 mentions this issue: crypto/x509: fix certificate request creation with RSA-PSS

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels May 16, 2024
@dmitshur dmitshur modified the milestones: Backlog, Go1.23 May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.23
4 participants
@dmitshur @phlipse @gopherbot @ycongal-smile