diff options
author | Yoann Congal <yoann.congal@smile.fr> | 2024-05-16 09:19:20 +0000 |
---|---|---|
committer | Gopher Robot <gobot@golang.org> | 2024-05-16 17:32:30 +0000 |
commit | 18104621ce742af7be8d5049bb9aee588b562950 (patch) | |
tree | a623e16fdb047a2191cfaf5501b603bc44d2d123 /src/crypto | |
parent | 6ed31e3c3e80999e3d1ab62dd49a680ef7ec3384 (diff) | |
download | go-18104621ce742af7be8d5049bb9aee588b562950.tar.gz go-18104621ce742af7be8d5049bb9aee588b562950.zip |
crypto/x509: fix certificate request creation with RSA-PSS
In case of a RSA-PSS algorithm, the hashFunc of CreateCertificateRequest
is embedded in a rsa.PSSOptions struct. Given to key.Sign(), this will
generate a proper RSA-PSS signature.
Pasted from the RSA-PSS handling code in CreateCertificate().
Fixes #45990
Fixes #65074
Change-Id: I8475afa79d8add107f092cc2871d38300e7b3903
GitHub-Last-Rev: 63fb0214c3b03a18e184562a9510145ea817bc20
GitHub-Pull-Request: golang/go#55153
Reviewed-on: https://go-review.googlesource.com/c/go/+/431916
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Alex Scheel <alex.scheel@hashicorp.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/x509/x509.go | 10 | ||||
-rw-r--r-- | src/crypto/x509/x509_test.go | 1 |
2 files changed, 10 insertions, 1 deletions
diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go index 3e26941573..47bb428110 100644 --- a/src/crypto/x509/x509.go +++ b/src/crypto/x509/x509.go @@ -2111,8 +2111,16 @@ func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv signed = h.Sum(nil) } + var signerOpts crypto.SignerOpts = hashFunc + if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { + signerOpts = &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthEqualsHash, + Hash: hashFunc, + } + } + var signature []byte - signature, err = key.Sign(rand, signed, hashFunc) + signature, err = key.Sign(rand, signed, signerOpts) if err != nil { return } diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index a9dc145265..026367b167 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -1418,6 +1418,7 @@ func TestCreateCertificateRequest(t *testing.T) { sigAlgo SignatureAlgorithm }{ {"RSA", testPrivateKey, SHA256WithRSA}, + {"RSA-PSS-SHA256", testPrivateKey, SHA256WithRSAPSS}, {"ECDSA-256", ecdsa256Priv, ECDSAWithSHA256}, {"ECDSA-384", ecdsa384Priv, ECDSAWithSHA256}, {"ECDSA-521", ecdsa521Priv, ECDSAWithSHA256}, |