openssl: Verify of certificate chain using RSA-PSS keys fails starting with 1.1.1h
We have a two-level CA using RSA-PSS keys throughout. On a system with OpenSSL 1.1.1h verification of this CA’s end-entity certificates fails with “lookup: unable to get local issuer certificate”. The same certificate chain verifies OK with older releases up to and including 1.1.1g. OpenSSL 1.1.1i and 3.0.0-alpha1 also report the same error.
I can reproduce this issue with fresh builds of 1.1.1g and 1.1.1h on Linux using the following CONF files and commands:
# rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Verify with OpenSSL 1.1.1g:
$ openssl version
OpenSSL 1.1.1g 21 Apr 2020
$ openssl verify -show_chain -CApath CA user1_cert.pem
user1_cert.pem: OK
Chain:
depth=0: C = DE, O = Test Org, CN = Test User (untrusted)
depth=1: C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
depth=2: C = DE, O = Test Org, CN = Test RSA PSS Root-CA
Verify with OpenSSL 1.1.1h:
$ openssl version
OpenSSL 1.1.1h 22 Sep 2020
$ openssl verify -show_chain -CApath CA user1_cert.pem
C = DE, O = Test Org, CN = Test User
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
If I generate the intermediate certificate with a plain RSA key instead of RSA-PSS then the error occurs one level higher:
$ openssl verify -show_chain -CApath CA user1_cert.pem
C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
error 2 at 1 depth lookup: unable to get issuer certificate
error user1_cert.pem: verification failed
Using plain RSA for both CA certificates the chain verifies OK with all OpenSSL versions.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (16 by maintainers)
Commits related to this issue
- check_sig_alg_match(): weaken sig nid comparison to base alg This (re-)allows RSA-PSS signers Fixes #13931 — committed to siemens/openssl by DDvO 3 years ago
- check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 — committed to siemens/openssl by DDvO 3 years ago
- check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/... — committed to openssl/openssl by DDvO 3 years ago
- check_sig_alg_match(): weaken sig nid comparison to base alg This (re-)allows RSA-PSS signers Fixes #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openss... — committed to openssl/openssl by DDvO 3 years ago
- 111j (#288) * Prepare for 1.1.1j-dev Reviewed-by: Richard Levitte <levitte@openssl.org> * Fix typo in OPENSSL_malloc.pod CLA: trivial Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Re... — committed to open-quantum-safe/openssl by baentsch 3 years ago
- ossl111k merge (#298) * Prepare for 1.1.1j-dev Reviewed-by: Richard Levitte <levitte@openssl.org> * Fix typo in OPENSSL_malloc.pod CLA: trivial Reviewed-by: Tomas Mraz <tmraz@fedoraprojec... — committed to open-quantum-safe/openssl by baentsch 3 years ago
- Update to OpenSSL 1.1.1l (#330) * Prepare for 1.1.1j-dev Reviewed-by: Richard Levitte <levitte@openssl.org> * Fix typo in OPENSSL_malloc.pod CLA: trivial Reviewed-by: Tomas Mraz <tmraz@fe... — committed to open-quantum-safe/openssl by dstebila 3 years ago
- Merging OpenSSL 1.1.1m (#346) * Skip BOM when reading the config file Fixes #13840 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13857... — committed to open-quantum-safe/openssl by baentsch 3 years ago
I can recreate the same verify failure in master. So if this is confirmed as a bug (not yet clear that it is), then the fix will need to be made in master too.
Interestingly the steps for creating the chain given above fail on master at this stage:
Which looks like a different, independent problem.