crypto/x509: RSA certs with PSS signatures cannot be verified

[lwithers]

Attempting to verify an RSA certificate which has been signed using PSS will fail with an error x509: cannot verify signature: algorithm unimplemented.

This can be observed with this (self-signed) certificate, which can be validated with e.g. openssl verify -CAfile root.pem root.pem.

There is also a simple demonstration program at https://play.golang.org/p/bO_qiPmi9k

I have tried this with both:

go version go1.5.4 linux/amd64
go version go1.6 linux/amd64

on this machine:

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/lwithers/y/go"
GORACE=""
GOROOT="/opt/go"
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GO15VENDOREXPERIMENT=""
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
CXX="g++"
CGO_ENABLED="1"

[quentinmit]

/cc @agl @ianlancetaylor Should this go in 1.8? How important are RSA-PSS certificates? Are they used in the wild?

[lwithers]

I don't believe that any of the big-name certificate authorities are currently issuing RSA-PSS certificates, so they are likely to be quite uncommon in the wild.

However, there are some applications that use them. The certificate I attached is part of a list curated and published by the ICAO (International Civil Aviation Organisation) in what it calls the PKD (public key directory; see http://www.icao.int/security/mrtd/pages/ICAOPKD.aspx). These are basically the certificates used to verify the signatures in ePassports.

[gopherbot]

CL https://golang.org/cl/24743 mentions this issue.

[lwithers]

As requested in the CL, here is a set of test certificates, along with some tools to verify the signatures: RSA-PSS.tar.gz

[agl]

Thank you very much for the test set. I've updated the CL with the following changes:

1. Either NULL or empty parameters are accepted.
2. The salt length in the parameters is ignored and auto-detected.
3. The salt length when signing is now fixed at 32 bytes.

With that, all the test certificates validate.