crypto/x509: can't verify signature on RSA-PSS certificate requests it created

[ycongal-smile]

What version of Go are you using (go version)?

 $ $GODIR/bin/go version
go version devel go1.17-1108cbe60b Thu May 6 02:21:55 2021 +0000 linux/amd64

(Freshly compiled from master)

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

 $ $GODIR/bin/go env |sed "s,$HOME,\$HOME,"
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="$HOME/.cache/go-build"
GOENV="$HOME/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="$HOME/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="$HOME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="$HOME/Documents/projets/misc/bug_go_pss/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="$HOME/Documents/projets/misc/bug_go_pss/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="devel go1.17-1108cbe60b Thu May 6 02:21:55 2021 +0000"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="$HOME/Documents/projets/misc/bug_go_pss/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3149370505=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I created a RSA-PSS CertificateRequest and tried to check its signature.

Here is a simple test program : https://play.golang.org/p/TGNgUYvNH5o

It can also be reproduced with the tests from crypto/x509/x509_test.go :

From 6d9c39291cf2d3b6de10b0889d7d1baa72c81d93 Mon Sep 17 00:00:00 2001
From: Yoann Congal <yoann.congal@smile.fr>
Date: Thu, 6 May 2021 11:39:29 +0200
Subject: [PATCH] crypto/x509: add test for RSA-PSS CertificateRequest

---
 src/crypto/x509/x509_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 51dda16815..5314a99cf7 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -1390,6 +1390,7 @@ func TestCreateCertificateRequest(t *testing.T) {
 		sigAlgo SignatureAlgorithm
 	}{
 		{"RSA", testPrivateKey, SHA1WithRSA},
+		{"RSA-256-PSS", testPrivateKey, SHA256WithRSAPSS},
 		{"ECDSA-256", ecdsa256Priv, ECDSAWithSHA1},
 		{"ECDSA-384", ecdsa384Priv, ECDSAWithSHA1},
 		{"ECDSA-521", ecdsa521Priv, ECDSAWithSHA1},
-- 
2.20.1

What did you expect to see?

Program should display "OK" and the test should be OK.

What did you see instead?

Program panicked and test failed : csr.CheckSignature() returned an error instead of nil which would mean a verified signature.

[ycongal-smile]

I've tracked down the check that fail the verification :

go/src/crypto/rsa/pss.go

Line 132 in 04cd717

// 4. If the rightmost octet of EM does not have hexadecimal value

106 func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
.../...
132     // 4.  If the rightmost octet of EM does not have hexadecimal value
133     //     0xbc, output "inconsistent" and stop.
134     if em[emLen-1] != 0xbc {
135         return ErrVerification
136     }

[ycongal-smile]

I've checked the output of x509.CreateCertificateRequest against OpenSSL : It fails. So I bet that the bug is on the creation side.

 $ openssl req -verify -inform der < go_test.csr.der 
verify failure
139692742198400:error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid:../crypto/rsa/rsa_pss.c:88:
139692742198400:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

EDIT : I've checked that a RSA-PSS CSR created by OpenSSL was correctly verified by csr.CheckSignature().

[ycongal-smile]

It seems that rsa.SignPKCS1v15() is called instead of rsa.SignPSS().

Here is the backtrace got by step through crypto/x509.CreateCertificateRequest :

0  0x00000000004f2a72 in crypto/rsa.SignPKCS1v15
   at ./go/src/crypto/rsa/pkcs1v15.go:231
1  0x00000000004f5b46 in crypto/rsa.(*PrivateKey).Sign
   at ./go/src/crypto/rsa/rsa.go:149
2  0x00000000005561d4 in crypto/x509.CreateCertificateRequest
   at ./go/src/crypto/x509/x509.go:2646

[ycongal-smile]

I found a fix (#46029). I just need to get the CLA signed (hence the draft status of the PR)

(EDIT Jul 9 2021 Oct 26 2021 Nov 23 2021 Mar 14 2022 Jun 27 2022 : the corporate CLA is still in the process of being signed. This is frustratingly long but we'll do it Jul 07 2022: Finally signed! 🎉)

[networkimprov]

cc @FiloSottile @katiehockman