1
0
mirror of https://github.com/golang/go synced 2024-11-15 02:30:31 -07:00

crypto/x509: fix certificate request creation with RSA-PSS

In case of a RSA-PSS algorithm, the hashFunc of CreateCertificateRequest
is embedded in a rsa.PSSOptions struct. Given to key.Sign(), this will
generate a proper RSA-PSS signature.

Pasted from the RSA-PSS handling code in CreateCertificate().

Fixes #45990
Fixes #65074

Change-Id: I8475afa79d8add107f092cc2871d38300e7b3903
GitHub-Last-Rev: 63fb0214c3
GitHub-Pull-Request: golang/go#55153
Reviewed-on: https://go-review.googlesource.com/c/go/+/431916
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Alex Scheel <alex.scheel@hashicorp.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
This commit is contained in:
Yoann Congal 2024-05-16 09:19:20 +00:00 committed by Gopher Robot
parent 6ed31e3c3e
commit 18104621ce
2 changed files with 10 additions and 1 deletions

View File

@ -2111,8 +2111,16 @@ func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv
signed = h.Sum(nil)
}
var signerOpts crypto.SignerOpts = hashFunc
if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
signerOpts = &rsa.PSSOptions{
SaltLength: rsa.PSSSaltLengthEqualsHash,
Hash: hashFunc,
}
}
var signature []byte
signature, err = key.Sign(rand, signed, hashFunc)
signature, err = key.Sign(rand, signed, signerOpts)
if err != nil {
return
}

View File

@ -1418,6 +1418,7 @@ func TestCreateCertificateRequest(t *testing.T) {
sigAlgo SignatureAlgorithm
}{
{"RSA", testPrivateKey, SHA256WithRSA},
{"RSA-PSS-SHA256", testPrivateKey, SHA256WithRSAPSS},
{"ECDSA-256", ecdsa256Priv, ECDSAWithSHA256},
{"ECDSA-384", ecdsa384Priv, ECDSAWithSHA256},
{"ECDSA-521", ecdsa521Priv, ECDSAWithSHA256},