Page MenuHome GnuPG

Support PSS signed CRLs
Closed, ResolvedPublic


Some CAs use rsaPSS to sign CRLs. GnuPG's X.509 code does not fully support this RSA signature scheme. In particular libksba can't parse such a CRL and returns the wrong error: Invalid Digest Algorithm.

An example for such a CRL is F717521 (which has no revoked items, though)

Event Timeline

Interesting tinge: The main CRL of the CA uses a nextUpdate in the year 2034 (15 years in the future) which would force dirmngr to cache the CRL until then. However, the CRL of the intermediate certificate has a nextUpdate only one month in the future. There is currently no entry in that second level CRL, so their idea might be that an updated second level CRL will also trigger a reload of the main CRL. I have not checked how we implement that in Dirmngr but I doubt that such a thing will work for us and that it is in any way standard compliant.

To summarize: The DGN CRL uses a the RSA-PSS Padding / Signature Scheme. ( )

Although the S/MIME standards allow this, this is not yet supported by GnuPG and also not evaluated for VS-NfD compliance. Dirmngr will reject such CRL's and due to our hard failure on CRL unavailability will not allow Certficates from such a CA be used if CRL checks are enforced.

werner lowered the priority of this task from Normal to Low.Mar 5 2020, 10:27 AM

It is actually questionable whether PSS is a better padding scheme than PKCS#1, see . PSS seems indeed be rarely used; quoting Peter from a followup on his writeup: “If I get time over the weekend, and I can find a CMS message signed with RSA-PSS, I'll create a forgery using xor256.”

Thus I am not sure we whould at all implement this.

I started to work on it so that I can actually use the certificates on my new D-Trust card. This will be a verify-only implementation.

Okay certificate and CRL checking does now work with rsaPSS. Need to work on data signatures and check the compliance modes.

Data (ie.e CMS) signatures do now also work.