[jira] [Updated] (IMPALA-14038) RSASSA-PSS Signature Algorithm Not Supported

Tue, 20 May 2025 22:15:20 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-14038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joe McDonnell updated IMPALA-14038:
-----------------------------------
    Component/s: Backend

> RSASSA-PSS Signature Algorithm Not Supported
> --------------------------------------------
>
>                 Key: IMPALA-14038
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14038
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Backend
>    Affects Versions: Impala 5.0.0
>            Reporter: Jason Fehr
>            Assignee: Joe McDonnell
>            Priority: Critical
>             Fix For: Impala 5.0.0
>
>
> If a certificate used in kRPC communication uses the signature algorithm 
> RSASSA-PSS, then communication will be blocked with the following error 
> reported:
> {noformat}
> negotiation.cc:311] Negotiation complete: Not implemented: Server connection 
> negotiation failed: server connection from ****: server certificate has no 
> signature digest (hash) algorithm
> {noformat}
> This error is generated in 
> [kudu/security/cert.cc|https://github.com/apache/impala/blob/cb496104d98e8cbd87acf25277f2648cffaac42a/be/src/kudu/security/cert.cc#L194].
>  The reason the error is thrown is the RSASSA-PSS algorithm does not 
> explicitly specify a hash algorithm. Instead, the hash algorithm is defined 
> in subfields within the signature block of the certificate.
> For example, most signature algorithms look like this where the hash 
> algorithm (SHA384) is included:
> {noformat}
> Signature Algorithm: ecdsa-with-SHA384
> {noformat}
> But, a RSASSA-PSS signature algorithm looks like this (note the hash 
> algorithm is now in a subfield):
> {noformat}
> Signature Algorithm: rsassaPss         
>   Hash Algorithm: sha256
>   Mask Algorithm: mgf1 with sha256
>     Salt Length: 0x20
>   Trailer Field: 0xBC (default)
> {noformat}
> Since the hash algorithm is defined in a subfield, digest_nid is set to 0. 
> One possible solution is to use theĀ  
> [X509_digest_sig|https://github.com/openssl/openssl/commit/fccf3dcef42f12b0ac2b1ab8979125a2511dc271]
>  function from OpenSSL



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to