search

wbond / oscrypto

Compiler-free Python crypto library backed by the OS, supporting CPython and PyPy
MIT License
318 stars 71 forks source link

Load Certificate signed with RSASSA PSS fails on Windows #43

Closed frennkie closed 2 years ago

frennkie commented 4 years ago

Loading a certificate which is signed using RSASSA PSS fails on Windows. It works using asn1crypto therefore I assume it's not a limitation of the Windows CNG API.

The following works on Linux but fails on Windows 10.

#!/usr/bin/env python3

from asn1crypto import pem, x509
from oscrypto import asymmetric

cert_string = ("""-----BEGIN CERTIFICATE-----
MIIDwzCCAnqgAwIBAgIUcLiHLd6kIhTmbL3akxJhqM5mbbUwPgYJKoZIhvcNAQEK
MDGgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQC
AgDeMBYxFDASBgNVBAMMC0NhcmxQU1MyMDQ4MCAXDTIwMDMyNDExMTIxNVoYDzIw
NjAwMzE0MTExMjE1WjAXMRUwEwYDVQQDDAxBbGljZVBTUzIwNDgwggEgMAsGCSqG
SIb3DQEBCgOCAQ8AMIIBCgKCAQEAwZK+biuFQF+z0IZML9BJOg2J8LbmouPojVwT
Qez11nyVPR+AFX5aak9r2yq7c+pfSN7Jdvka0zrOsEjvxZYVJQgzpWnAJzjHUHE+
PEmWpxI5pDOg1HmtlFOWkfrxqoX2iSwFXeEQ3MQ6xChWqfSbhzkkzSTHJGdUfSz0
YDMFX3Np0CG0yC/s7pqSErGq90fbkJfF+HIsxu1R79ps2YFY8ruBBzb8UOfZ1hEG
0PJVm13MmuJOZ7UkzpcVT2l9qbi/LHjpVgkBgOKlnOrtuLx5kXPX377BOYGiV6z6
CA/Edw50uaYbtK4XqHacxgvH7fH3yvW2Xf7zic7jl6b9DY89VQIDAQABo4GlMIGi
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFDfreWjN
UnHTpWKSAJlidTs1P4LtMB0GA1UdDgQWBBQadw8m46Wp5npvvh4DvHRkWqJ9rjAj
BgNVHREEHDAagRhBbGljZVBTUzIwNDhAZXhhbXBsZS5jb20wHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMEMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZIAWUDBAIB
oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3gOCAQEAwN0z12cT92zm
Vn0lRdbRCCl36iSO6g422wc5G42Rl2Akqj+lhqEmWKnidMWnniZHOHafds5ti58h
iQFax/Z1bJTOvFxzo7uz9DeWpmdKHT8buiwzPxSxdWXJNPKPDZCNAvvrocrSSeuh
cDzkJ3mWACziFQJhVpjm0XlVz4J6WQpCjxzs1GHKVKY4VOEWvpcuzPqYDwUYfTtk
joTiNcC8fWVKn9TQ6NZJ2lobDyku4bdZ1z9HZLJrRJ/EZoenGfS9HFvYQ+Nmt9zA
7JifAWknpoaxUQFmvNFE2WFkXIdxUCF+vGZ1GmSm6uodZJ3zoenKuFaJTRCd9tPa
GBauR4UtBA==
-----END CERTIFICATE-----
""")

print("Load using asn1crypto:")
_, _, der_bytes = pem.unarmor(cert_string.encode())
asn1_cert = x509.Certificate.load(der_bytes)
print(type(asn1_cert))

print("Load using oscrypto:")
oscrypto_cert = asymmetric.load_certificate(cert_string.encode())
print(type(oscrypto_cert))

Error:

Load using asn1crypto:
<class 'asn1crypto.x509.Certificate'>
Load using oscrypto:
Traceback (most recent call last):
  File "User/issue.py", line 37, in <module>
    oscrypto_cert = asymmetric.load_certificate(cert_string.encode())
  File "C:\Users\User\venv\lib\site-packages\oscrypto\_win\asymmetric.py", line 1542, in load_certificate
    return _load_key(certificate, Certificate)
  File "C:\Users\User\venv\lib\site-packages\oscrypto\_win\asymmetric.py", line 1622, in _load_key
    return _bcrypt_load_key(key_object, key_info, container, curve_name)
  File "C:\Users\User\venv\lib\site-packages\oscrypto\_win\asymmetric.py", line 1856, in _bcrypt_load_key
    }[alg_selector]
KeyError: 'rsassa_pss'
wbond commented 2 years ago

master (as of 3410fba1c8a39156def029eac9c7ff9f779832e6) has been updated with tests and fixes to ensure that RSASSA-PSS certs and keys can be used for signing and verification across all backends.

These fixes should make it in to version 1.3.0.