rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys

Add a testcase to the test_req covering the issue. Fixes #13957 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13967)
2025-03-19 19:50:42 +08:00 · 2021-01-26 11:39:27 +01:00 · 2021-01-26 11:39:27 +01:00 · a2a5506b93
commit a2a5506b93
parent e947a0642d
3 changed files with 68 additions and 6 deletions
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@ -312,18 +312,19 @@ static int rsa_get_params(void *key, OSSL_PARAM params[])
        return 0;

    /*
-     * For RSA-PSS keys, we ignore the default digest request
-     * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+     * For restricted RSA-PSS keys, we ignore the default digest request.
+     * With RSA-OAEP keys, this may need to be amended.
     */
    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
-        && rsa_type != RSA_FLAG_TYPE_RSASSAPSS) {
+        && (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
+            || ossl_rsa_pss_params_30_is_unrestricted(pss_params))) {
        if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD))
            return 0;
    }

    /*
-     * For non-RSA-PSS keys, we ignore the mandatory digest request
-     * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+     * For non-RSA-PSS keys, we ignore the mandatory digest request.
+     * With RSA-OAEP keys, this may need to be amended.
     */
    if ((p = OSSL_PARAM_locate(params,
                               OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;

 setup("test_req");

-plan tests => 42;
+plan tests => 43;

 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));

@ -92,6 +92,39 @@ subtest "generating certificate requests with RSA" => sub {
    }
 };

+subtest "generating certificate requests with RSA-PSS" => sub {
+    plan tests => 4;
+
+    SKIP: {
+        skip "RSA is not supported by this OpenSSL build", 2
+            if disabled("rsa");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-new", "-out", "testreq-rsapss.pem", "-utf8",
+                    "-key", srctop_file("test", "testrsapss.pem")])),
+           "Generating request");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-verify", "-in", "testreq-rsapss.pem", "-noout"])),
+           "Verifying signature on request");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-new", "-out", "testreq-rsapss2.pem", "-utf8",
+                    "-sigopt", "rsa_padding_mode:pss",
+                    "-sigopt", "rsa_pss_saltlen:-1",
+                    "-key", srctop_file("test", "testrsapss.pem")])),
+           "Generating request");
+
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
+           "Verifying signature on request");
+    }
+};
+
 subtest "generating certificate requests with DSA" => sub {
    plan tests => 2;

--- a/test/testrsapss.pem
+++ b/test/testrsapss.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAzs95rRH49f5zZ1G9
+Cb/Ie5P5GfNto2etu2L90qrewOJKZ4CQ49D8QEKzjnFJhagj/i5MNdWHeTCrDAsQ
+jrbKS6ik/HY11yiB0wZ4ItXsfMQX+qIVp2X9BQFx/ID5nVCXrQcfMfcqFk19cv4N
+mgKgdeEZT9O5baSX2jKKsR8E/4+QilI9xBxzig+HJ2cG2clMkGZut5hiBwwWZ0+1
+v1v5ZbkUGwroGJqBsqzI8vTW+bT/VVlhCgdoAj6/p543tgBM439O1ZDDIxVZbadI
+uacwSwV2yBlSzDGExJwjisABwOZWNta4lQ5NI1ZEzA0I1+MPyyzvX0/1ZupgDtcq
+T5zWUwIDAQABAoIBAHm4Cvkd1tWRiQKKTSRrx+dT1Ay+BQ1jfBEJ1jIjdy83AGui
+c6Rh39VCbMOtUYRkzapQPXKB1lYxmrpf2MLmOnIFM/WS7WVQ5ff5msOF/MYB88sD
+kpMPp7dGfnwKvN8mC98+jdGukwrFWMxRUlgOq7o1Xdxp1Hz/npBBpvdQNnTiTpbq
+q8tanx2QRHqhc1+5hYik6OamK0D+Gp9Ver+UZSDf86yJro/fLDzkJlZb5tv11ggn
+nv2obfb9cMG/U+QQuWZ18wWrc3EjWDgy5BmUSprPdbJknyIhVhnTwpUQk+MXbx6K
+9RdlpxURXKnlkvL84cdtB6zBfFcNNPSe5si2HCECgYEA+Mb7mAoiZAzwUGKCTvHZ
+AKH2jBEjFA4ZSMqu+bZqLCv8xflbcTAb/b4zxU5PSZCONf0InrhVjqDoz6u/wPC4
+1Drvg8dRIvRoc207lWanMfriE6kj5QdspEARom/56x2ADPy9mRsWy8ZtENrw4LGh
+XaoKr1dvoC1lvAtB/O4RZhcCgYEA1NCT0mthIQkcwgvDXHDyF++/i38zRIbqtWrS
+18UzSk9kMIcP8euP7hesJnvT8ySFXOkmJ9RJd0N5Mc0XXxgT2k52goebw/3IUDIY
+8vuMkANZMjUp7hvXsqYVxWgPU8526rQtbzXTuqKK8mZ9Q03XJ5Mcd/tI80lUkAm3
+WSJhsyUCgYAIA2jRQepPrLcE79dgsZua0Jy/cEHgAIBB/v1Z381VtOkEe369i54r
+Mzg5r8cQCI78IDVp32gqGvbE0bRwg5CAjZFvfjkX1iWTKj6UFmVmT71+gqE8XFvc
+go/O2qqDL0UTpgR5bQzz7WVP+K1vn2kiOjrz4O4gi7XOM9KhUg3PawKBgQDQ7K+i
+jN5/AyYjbk7tqshRLYJbXZYkOVuknOm/AI847bYLWh0SQFM9yCmuYjSS6BCxRQa7
+ZVJ2blxFwvWl2spqsEryHFWUVMpZyMTrjn7RRyhC/SRb6SOZ9Ck9cspRWUkvY5GT
+M0HYYQiNroZdE8ccx/TT6XMVvLDy80b3j6RgrQKBgQCvKd8TNakeskEfjAnn4WLO
+0+I7oxkhth0i6eIUaXpqoVsZypAhXGC13V2Y5HyvIPNUSjsG2XafQOzZXHgGTixP
+YaYHAo9cWis8t21eTRrOMtnALqL59oVMFTbiy/dJhN4m0sxezzTVIpqBxTYzagbZ
+46EVSoOEYkU7U/TiD+HGHQ==
+-----END PRIVATE KEY-----