Some CAs use rsaPSS to sign CRLs. GnuPG's X.509 code does not fully support this RSA signature scheme. In particular libksba can't parse such a CRL and returns the wrong error: Invalid Digest Algorithm.
An example for such a CRL is F717521 (which has no revoked items, though)
| rK libksba | |||
| rK17a09f41fc4b Allow for Null hash algo parameters on rsaPSS and add pss flag. | |||
| rKe6e9858970ed Support rsaPSS also for CRLs. | |||
| rKf5695be600ab Add read-only support for rsaPSS. | |||
| rG GnuPG | |||
| rGc5ab1dcd543f gpgsm: Make rsaPSS a compliant scheme in de-vs mode. | |||
| rG5fe3cdfc7646 gpgsm: Make rsaPSS a compliant scheme in de-vs mode. | |||
| rGddc74f50d423 sm,dirmngr: Restrict allowed parameters used with rsaPSS. | |||
| rG24d563749f50 sm: Support rsaPSS verification also for CMS signatures. | |||
| rG8bf17eb94d0d dirmngr: Support rsaPSS also in the general validate module. | |||
| rG0626cc8fed34 sm,dirmngr: Support rsaPSS signature verification. | |||
| rGc0d5c673542b sm,dirmngr: Restrict allowed parameters used with rsaPSS. | |||
| rG6c28d9343ea6 sm: Support rsaPSS verification also for CMS signatures. | |||
| rGba34f1415366 dirmngr: Support rsaPSS also in the general validate module. | |||
| rGb45ab0ca08f8 sm,dirmngr: Support rsaPSS signature verification. | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | • werner | T4538 Support PSS signed CRLs | ||
| Invalid | • aheinecke | T4523 Gpg4win: Multiple problems reported 05-2019 |
Interesting tinge: The main CRL of the dgn.de CA uses a nextUpdate in the year 2034 (15 years in the future) which would force dirmngr to cache the CRL until then. However, the CRL of the intermediate certificate has a nextUpdate only one month in the future. There is currently no entry in that second level CRL, so their idea might be that an updated second level CRL will also trigger a reload of the main CRL. I have not checked how we implement that in Dirmngr but I doubt that such a thing will work for us and that it is in any way standard compliant.
To summarize: The DGN CRL uses a the RSA-PSS Padding / Signature Scheme. ( https://de.wikipedia.org/wiki/Probabilistic_Signature_Scheme )
Although the S/MIME standards allow this, this is not yet supported by GnuPG and also not evaluated for VS-NfD compliance. Dirmngr will reject such CRL's and due to our hard failure on CRL unavailability will not allow Certficates from such a CA be used if CRL checks are enforced.
It is actually questionable whether PSS is a better padding scheme than PKCS#1, see
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html . PSS seems indeed be rarely used; quoting Peter from a followup on his writeup: “If I get time over the weekend, and I can find a CMS message signed with RSA-PSS, I'll create a forgery using xor256.”
Thus I am not sure we whould at all implement this.
I started to work on it so that I can actually use the certificates on my new D-Trust card. This will be a verify-only implementation.
Okay certificate and CRL checking does now work with rsaPSS. Need to work on data signatures and check the compliance modes.