Hi! While working on adding RSASSA-PSS support to Go's crypto/tls library (TLS 1.2), I have noticed something that may cause interop problems later.
The current draft says the following about Server Certificate Selection (https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.4.2.2): - The certificate MUST allow the key to be used for signing (i.e., the digitalSignature bit MUST be set if the Key Usage extension is present) with a signature scheme indicated in the client's "signature_algorithms" extension. In TLS 1.2, the cipher suite was responsible for selecting the hash function and signature algorithm (e.g. for ServerKeyExchange) while "signature_algorithms" directed what certificate signatures are accepted. But in TLS 1.3, this also influences what algorithms can be used for signing handshake messages (CertificateVerify). This results in possible interop problem: while implementations advertise RSASSA-PSS support in "supported_algorithms" because they can indeed sign/verify handshake messages with said algorithm, they might not be able to accept certificates with a RSASSA-PSS signature (because the PKI library does not implement it for example). And because PSS certificates are non-existent now, it will only be discovered later. Some implementations I have checked wrt RSASSA-PSS support: - Go crypto/tls (TLS 1.2) - no RSASSA-PSS yet. - tls-tris (TLS 1.3) - accepts PSS for CV, but not certificates. - BoringSSL - failed, "bssl server" rejects cert. - OpenSSL - failed, s_server rejects cert. Related: https://github.com/openssl/openssl/issues/2878 - NSS - not checked, but I think it has the same problem as tls-tris. Related: https://bugzilla.mozilla.org/show_bug.cgi?id=158750 These implementations will require fixing, but at the moment it is just broken. Is this the expected behavior/intention? While RSASSA-PSS is quite well understood for handshake messages, its restrictions for certificates are not explicit. Currently the draft limits the salt length for handshake messages, but what about certs? What is needed for a TLS implementation to claim support for RSASSA-PSS? In particular, for certificates: - Limitations on salt length? - What AlgorithmIdentifier OID to use? - Whether to constrain other AlgorithmIdentifier Params? (MGF, hash algorithm, trailerField)? -- Kind regards, Peter Wu https://lekensteyn.nl _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
