Support PSS signed CRLs
Open, LowPublic

Description

Some CAs use rsaPSS to sign CRLs. GnuPG's X.509 code does not fully support this RSA signature scheme. In particular libksba can't parse such a CRL and returns the wrong error: Invalid Digest Algorithm.

An example for such a CRL is F717521 (which has no revoked items, though)

werner created this task.May 24 2019, 8:58 AM

Interesting tinge: The main CRL of the dgn.de CA uses a nextUpdate in the year 2034 (15 years in the future) which would force dirmngr to cache the CRL until then. However, the CRL of the intermediate certificate has a nextUpdate only one month in the future. There is currently no entry in that second level CRL, so their idea might be that an updated second level CRL will also trigger a reload of the main CRL. I have not checked how we implement that in Dirmngr but I doubt that such a thing will work for us and that it is in any way standard compliant.

To summarize: The DGN CRL uses a the RSA-PSS Padding / Signature Scheme. ( https://de.wikipedia.org/wiki/Probabilistic_Signature_Scheme )

Although the S/MIME standards allow this, this is not yet supported by GnuPG and also not evaluated for VS-NfD compliance. Dirmngr will reject such CRL's and due to our hard failure on CRL unavailability will not allow Certficates from such a CA be used if CRL checks are enforced.

werner lowered the priority of this task from Normal to Low.Mar 5 2020, 10:27 AM

It is actually questionable whether PSS is a better padding scheme than PKCS#1, see
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html . PSS seems indeed be rarely used; quoting Peter from a followup on his writeup: “If I get time over the weekend, and I can find a CMS message signed with RSA-PSS, I'll create a forgery using xor256.”

Thus I am not sure we whould at all implement this.

werner claimed this task.Wed, Apr 8, 8:37 PM

I started to work on it so that I can actually use the certificates on my new D-Trust card. This will be a verify-only implementation.

werner added a comment.Thu, Apr 9, 1:09 PM

Okay certificate and CRL checking does now work with rsaPSS. Need to work on data signatures and check the compliance modes.