crypto/rsa: RSA-PSS PKCS1v15 should support SHA3 hashes (and others)

[shaunco]

$ go version
go version go1.15.5 linux/amd64

Does this issue reproduce with the latest release?

Yes

What did you do?

rsa.VerifyPKCS1v15(myPublicKey, crypto.SHA3_224, hashed, signature)

What did you expect to see?

A properly verified hash. pkcs1v15HashInfo() needs to calculate the ASN1 DER prefix for algorithms that aren't in the lookup table.

What did you see instead?

crypto/rsa: unsupported hash function

Additional notes

The current code has a table of precomputed ASN1 DER prefixes for 8 algorithms. All other algorithms get crypto/rsa: unsupported hash function, even though they are valid.

[toothrot]

/cc @FiloSottile

[FiloSottile]

It's a bit unclear to me why anyone would want to use legacy PKCS#1 v1.5 with SHA-3, but if there is a need I'd accept a PR to add the relevant ASN.1 prefixes.

[shaunco]

I too wish the originator of the signatures I'm dealing with had used PSS. I'll try to find some time to submit a PR so I can ditch the current workaround I put in place.

[w3bb]

Trying to reimplement a program, for some reason they use an SHA-3 hash in this way and it's broken for me.

@shaunco What's your workaround?

[gopherbot]

Change https://go.dev/cl/464695 mentions this issue: crypto: pkcs1v15 should support sha3 hashes and others

[tristov-aurora]

It's a bit unclear to me why anyone would want to use legacy PKCS#1 v1.5 with SHA-3, but if there is a need I'd accept a PR to add the relevant ASN.1 prefixes.

Unfortunately, it's still used even in new hardware like ZynqMP FPGA -- RSA4096-SHA3-384 with pkcs#1v1.5 is the only scheme it supports; I suspect there's other hardware out there with similar settings. In those cases no pkcs#1v.15 with SHA3 support also means it's hard (not impossible) to use Vault transit keys for signing.