From 23f6633e91ae27a0532b81abcf9ce3bb87b0446c Mon Sep 17 00:00:00 2001 From: Yoann Congal Date: Thu, 6 May 2021 11:39:29 +0200 Subject: [PATCH 1/2] crypto/x509: add test for RSA-PSS-SHA256 CertificateRequest Updates #45990 --- src/crypto/x509/x509_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index b1cdabba283066..de18aa56156852 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -1399,6 +1399,7 @@ func TestCreateCertificateRequest(t *testing.T) { sigAlgo SignatureAlgorithm }{ {"RSA", testPrivateKey, SHA256WithRSA}, + {"RSA-PSS-SHA256", testPrivateKey, SHA256WithRSAPSS}, {"ECDSA-256", ecdsa256Priv, ECDSAWithSHA256}, {"ECDSA-384", ecdsa384Priv, ECDSAWithSHA256}, {"ECDSA-521", ecdsa521Priv, ECDSAWithSHA256}, From 2914abc18c29ec38512c6226a934137786e6c077 Mon Sep 17 00:00:00 2001 From: Yoann Congal Date: Fri, 7 May 2021 00:01:27 +0200 Subject: [PATCH 2/2] crypto/x509: fix certificate request creation with RSA-PSS In case of a RSA-PSS algorithm, the hashFunc of CreateCertificateRequest is embedded in a rsa.PSSOptions struct. Given to key.Sign(), this will generate a proper RSA-PSS signature. Pasted from the RSA-PSS handling code in CreateCertificate() Fixes #45990 --- src/crypto/x509/x509.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go index 7c64761bd7603b..fcafb87c828fb5 100644 --- a/src/crypto/x509/x509.go +++ b/src/crypto/x509/x509.go @@ -2013,8 +2013,16 @@ func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv signed = h.Sum(nil) } + var signerOpts crypto.SignerOpts = hashFunc + if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { + signerOpts = &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthEqualsHash, + Hash: hashFunc, + } + } + var signature []byte - signature, err = key.Sign(rand, signed, hashFunc) + signature, err = key.Sign(rand, signed, signerOpts) if err != nil { return }