Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for RSASSA_PSS (sha256-rsa-MGF1) #262

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

jochen-jung
Copy link

In my project I needed to sign with the http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 algorithm.

To support this, I added phpseclib/phpseclib which has the possibility to create RSA keys in this format.

@tvdijen
Copy link
Contributor

tvdijen commented May 14, 2024

Doesn't openssl support this? I don't think it makes sense to pull in the entire phpseclib as a dependency just for this.

@tvdijen
Copy link
Contributor

tvdijen commented May 14, 2024

tvdijen@a7ef849

This seems to work without the added dependency on phpseclibs.

@ferienwohnung-pfaelzer-wald

Thanks for looking into it @tvdijen.

Unfortunately your code does not create a valid signature for me.

The reason I think is that it is missing the mask. openssl is only doing what my code is doing with

            $this->rsaPrivateKey->withHash('sha256');

It is however missing those two methods:

            $this->rsaPrivateKey->withMGFHash('sha256');
            $this->rsaPrivateKey->withPadding(RSA::SIGNATURE_PSS);

But if that is implementable with openssl, then I of course would favor this version without the added dependency. But I am not deep enough into the matter to know if that works with openssl as well.

@tvdijen
Copy link
Contributor

tvdijen commented May 15, 2024

Can you share an example of the expected signature xml? I am away for a couple of days, but I can try next weekend

@jochen-jung
Copy link
Author

I created the keys using these commands from https://crypto.stackexchange.com/q/110953:

# create private key in RSA format
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

# create self-signed certificate with RSA-PSS signing algorithm from this private key
openssl req -x509 -new -key private_key.pem -out certificate.pem -days 3650 -sha256 \
    -sigopt rsa_padding_mode:pss \
    -sigopt rsa_pss_saltlen:32

# optionally create public key in RSA format from certificate
openssl x509 -pubkey -noout -in certificate.pem > public_key.pem

This is then the XML signed with those keys (using my solution):

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/><ds:Reference URI="#pfx7d238ab8-e967-e77f-5c61-84c028225050"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>HW/oIFNuLHgZ/Xrruu4q2GczyUxXwOtJxs4BqNT0/2A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>CboXYydFJkUBpfE3GTQVpGQPZ4DX5G4m37xzKxAcCLV/fEmbOXX286dkXtyZ23BQKi4zg68kDWLzHpLkj4u6EkCGW4R+cRH67BcuDiXRmBIvwHF/R0vOyzOzzYuTQ2cwU/oN/qvOy6co0+4fnruWsLCa3/oCqCprfrn/qPPGwrEFIunyAm54rHqmRaZuhrBv7kSG9QlnOBwBZHEX7PZinbnwE9ZeBmcoI6IzfapMxaZ/aDBR1n9Z9o2FZQT9Bmr/vuj8DflyX1szsmCtiM4ybpZ07X2VEUlMiUTzoaaS+fFnCr3YhcX6uHXm6x7ci/AcGcFjP7aFj0tU2f2jOP17+wNtldCiHeCboxlfC0GET5cBVlaWK9u/B+nUMigwDzqvfO75/sbeC3ObVdfo+GzpnqZVomxkK7I65UIwD0s8wCuzEYiP8zJJiZa7g3SY6CIp7ze00E+dD3zRdNsDAp4iK3ftueqjsR8H0PGnHr0htZNIACneIcbAnwBbLemQp8nuNu49HrHFLKAOAgeNFx/fSwmcUKaxoh+d6zH1Q+7pfWtV0mvdZWn/dY+3lC0B+5WeLm8SnAHY6fbnbnzUfX2pqbq8xlefTGMh3d/uT73iXXe0XtnnHDqgfeRdY39xpToYyAwPBnYaT3Bgb1sfj9FLu1XweVdVtL00+nt9NkwN8ok=</ds:SignatureValue>\n
<ds:KeyInfo><ds:X509Data><ds:X509SubjectName>O=Internet Widgits Pty Ltd,L=Kaiserslautern,ST=Some-State,C=DE</ds:X509SubjectName><ds:X509Certificate>MIIGBTCCA7mgAwIBAgIUDSe0QTZwA43YHLXeSdeb1cpqVJUwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMF4xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMRcwFQYDVQQHDA5LYWlzZXJzbGF1dGVybjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTI0MDUxNTA3MDkxN1oXDTM0MDUxMzA3MDkxN1owXjELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxFzAVBgNVBAcMDkthaXNlcnNsYXV0ZXJuMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJMdQqj5en5KZjfGrCxcVs1+BuwH1NYnXt2zhxZOq/lpIcWSKh+o5ZPndlbxWshv7w6UUrdnz/JJiywA/XpRGU01kbxgTXE24tofxccpPAQe5jmMQSO/ocKnkSKi10R/JBoK5Py+0L20jfNMO5EZWkhfCHHp6hxHjSN8fievui2s/pkSpnouM/+tt3HgMXnpqNAnOGcyzSrNM91UZw2cio9tFSKUq4cHyPj4ioE0S4j4Kk0CSl62GtH4IPe/kaPdcjBTrWerMsY6SiCRdJj2uQprm5omANpU/yaW4uPeStxPaJLQEOsU4s9TdI1m6315anhor1IMtFQhvWo3qqpC1AigRsnLSoka49ndnPzR/+gIKpOf4HAJWAeF3humPV43CkAXpGCYuxsmWeO8nl0CWamhoFf64X8sFMpg7OQ22bBBUr9C7G21IqAisFLjI5dyuXsJC0eewDp6pxBJJl0+KojhP2Bbr3iogW+1nZMbkl7tIpM78P4gPVE+7A1eITBt+jyE1vuSnMquv6j6kmS2W/6/7mvRAdDCPPxZZl07De0TbRpVjCpuXwz3iDCWdg8SCo2vhqOaTfb+clBDUB7a01bPmHlUKsAVpRbQ7nWfjCyzjBFDXjn+/egtAzAPBbjBz4xpoa1+nTtWFHLLTXkSUKSu44fJ2hzdbrsjJ7rCnFVQIDAQABo1MwUTAdBgNVHQ4EFgQUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwHwYDVR0jBBgwFoAUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwDwYDVR0TAQH/BAUwAwEB/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggIBABaeceH5gxgIhym+2g3dYk2N/HKf/vCug/sfGD5qfulP3eY+nRl0A0rqukhA8LE7CcAL+JVnfjPK4tSRKrxI+tJlf6ZTijJPhWhS1X2i1lJ/VYJZHUN5/MAxsOVlTSLYPl0yGiecRV2+coxNUoiXNHt8s/bT54YnX3VA0E47aRfCV8+aSNdZCU+xWVWYjaK67eQSeJtiUe+pNwwwIqOfsQnpNSRxGuOj0gowZIa+b0IXJ89Uii4YNQFmQGLDI/iPLpUUaEQkTzN9yiFJUQrk/TXnFRyo9nV74nh1BlgXhcBfRVb0p8wOHlusOu4SYohR5Lap9MsHkDNA8iH0GxFxhyUw64hgB5I0ubDCXc01YJ+FGWzzwoPxdW43uWu+objNTP2yOWWt9pg9C4XVCIad7Gtd7wAxxMb/ORZ2mBsXfGAZElLdbteo/R3nad/C5eBusoCNhUOSx/HwSHxeL1SjWyz34LgvJJ/dgfUdNzoSSnY4KB9BHFQmLHB8Ej/LVbUF8hsE0WUxspelbrs6KPujbF7kmjvwAqLDF+MDwp2TAJCO1zQrLwm67W7kLFkW+rMAfEwILvCAygU6JMrRSqyGJAz+W2nCq8a7AFaTa95KmUs2W/jVOY3NVVIDFRrL8rcw9D+SdcZ6pLMT9gqBqrRoiNOV3DBtdIUFWy5ttdmNdjjX</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="pfx7d238ab8-e967-e77f-5c61-84c028225050"/></ds:Signature>

Checking the signature on https://tools.chilkat.io/xmlDsigVerify.cshtml it says that it is valid.

Using your code the XML is:

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/>
  <ds:Reference URI="#pfx381dab67-95f0-a42b-aaf8-c7c30d7cf772"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iQUXSsDYJZcwby0sVepIvSSg8Xkf9S3Jo7VDqU8fcTg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue/>
<ds:KeyInfo><ds:X509Data><ds:X509SubjectName>O=Internet Widgits Pty Ltd,L=Kaiserslautern,ST=Some-State,C=DE</ds:X509SubjectName><ds:X509Certificate>MIIGBTCCA7mgAwIBAgIUDSe0QTZwA43YHLXeSdeb1cpqVJUwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMF4xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMRcwFQYDVQQHDA5LYWlzZXJzbGF1dGVybjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTI0MDUxNTA3MDkxN1oXDTM0MDUxMzA3MDkxN1owXjELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxFzAVBgNVBAcMDkthaXNlcnNsYXV0ZXJuMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJMdQqj5en5KZjfGrCxcVs1+BuwH1NYnXt2zhxZOq/lpIcWSKh+o5ZPndlbxWshv7w6UUrdnz/JJiywA/XpRGU01kbxgTXE24tofxccpPAQe5jmMQSO/ocKnkSKi10R/JBoK5Py+0L20jfNMO5EZWkhfCHHp6hxHjSN8fievui2s/pkSpnouM/+tt3HgMXnpqNAnOGcyzSrNM91UZw2cio9tFSKUq4cHyPj4ioE0S4j4Kk0CSl62GtH4IPe/kaPdcjBTrWerMsY6SiCRdJj2uQprm5omANpU/yaW4uPeStxPaJLQEOsU4s9TdI1m6315anhor1IMtFQhvWo3qqpC1AigRsnLSoka49ndnPzR/+gIKpOf4HAJWAeF3humPV43CkAXpGCYuxsmWeO8nl0CWamhoFf64X8sFMpg7OQ22bBBUr9C7G21IqAisFLjI5dyuXsJC0eewDp6pxBJJl0+KojhP2Bbr3iogW+1nZMbkl7tIpM78P4gPVE+7A1eITBt+jyE1vuSnMquv6j6kmS2W/6/7mvRAdDCPPxZZl07De0TbRpVjCpuXwz3iDCWdg8SCo2vhqOaTfb+clBDUB7a01bPmHlUKsAVpRbQ7nWfjCyzjBFDXjn+/egtAzAPBbjBz4xpoa1+nTtWFHLLTXkSUKSu44fJ2hzdbrsjJ7rCnFVQIDAQABo1MwUTAdBgNVHQ4EFgQUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwHwYDVR0jBBgwFoAUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwDwYDVR0TAQH/BAUwAwEB/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggIBABaeceH5gxgIhym+2g3dYk2N/HKf/vCug/sfGD5qfulP3eY+nRl0A0rqukhA8LE7CcAL+JVnfjPK4tSRKrxI+tJlf6ZTijJPhWhS1X2i1lJ/VYJZHUN5/MAxsOVlTSLYPl0yGiecRV2+coxNUoiXNHt8s/bT54YnX3VA0E47aRfCV8+aSNdZCU+xWVWYjaK67eQSeJtiUe+pNwwwIqOfsQnpNSRxGuOj0gowZIa+b0IXJ89Uii4YNQFmQGLDI/iPLpUUaEQkTzN9yiFJUQrk/TXnFRyo9nV74nh1BlgXhcBfRVb0p8wOHlusOu4SYohR5Lap9MsHkDNA8iH0GxFxhyUw64hgB5I0ubDCXc01YJ+FGWzzwoPxdW43uWu+objNTP2yOWWt9pg9C4XVCIad7Gtd7wAxxMb/ORZ2mBsXfGAZElLdbteo/R3nad/C5eBusoCNhUOSx/HwSHxeL1SjWyz34LgvJJ/dgfUdNzoSSnY4KB9BHFQmLHB8Ej/LVbUF8hsE0WUxspelbrs6KPujbF7kmjvwAqLDF+MDwp2TAJCO1zQrLwm67W7kLFkW+rMAfEwILvCAygU6JMrRSqyGJAz+W2nCq8a7AFaTa95KmUs2W/jVOY3NVVIDFRrL8rcw9D+SdcZ6pLMT9gqBqrRoiNOV3DBtdIUFWy5ttdmNdjjX</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="pfx381dab67-95f0-a42b-aaf8-c7c30d7cf772"></ds:Object></ds:Signature>

And checking that on https://tools.chilkat.io/xmlDsigVerify.cshtml it says that it is invalid.

@tvdijen
Copy link
Contributor

tvdijen commented May 15, 2024

Ah right, so if I compare the two, the only difference is that my code produces an empty <SignatureValue>.. I must have missed something, but it seems to me that this should be fixable.

@tvdijen
Copy link
Contributor

tvdijen commented May 15, 2024

I think I've already fixed it.. Can you try tvdijen@4e9c983 ?

I think the issue still exists.. From what I understand, PSS is just not supported in openssl..

@jochen-jung
Copy link
Author

SignatureValue is now no longer empty. But still it is invalid.

This is the XML with your new code:

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/>
  <ds:Reference URI="#pfxddb7c393-9632-d3e0-0605-9e03d7f8c11a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>F5ERIUROtwhr+Nqj2QHLfYxpjg/yzQgOu+d8mKi3qXI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FG2PGFY65IjerhVhFygssIpYZVpjzEcgtB3A65UHyG6P9Qt7xjK+UIt4+KavLRrMJQhy53oliLuJQlYRB+TaF13KxPZ9ulXCA/iOFOl+aENCG2lIQNT0I+ZDMwihvy5KJ+KYIjAAS2FSjlDoDo6y8bowml54kxMTkC6RV2hG+1OtYD5/gXVNAucYAwhs/gwb0Mqw4bwo16gencY4ogFoY0aoW8m2B1NcFOp1ZCdftUrYQd6h5A1FKeVn29a1So/129b7qHjDFv9DOY7WsnZs27C6INTf7KToSqUs0ZKzggfim0rBFZ/Sn4/SfZTVTjieADv7pRdp6T/6DAoypUDjhqSIFuCm/CTmjwa3CgnI85YzZoe3jsoAatgb/fl/JkoDnH8AafCkraoJmZ4OcOHZlSl+nWTCWIRri49AYnW3EzSEPdPkoBrLtT9waZbGIta2prxIWinahwOR7IS0OHXcWeHDXHsdxrcIg+ml3jxwOufD7jeNfFrdurUykeM0ksLrvLq3eNbyZEZofNmu1IlZWeTjH1xyM3E515TgRmqu2bETzAQbUhgwzjogwQTaxgCtjPJ6oe2yiMVagNLHWyciR1LOcxGDHHQpnaiNaPqRiwY2inUXChgFkY7cbXgBklteueHNHv11N3LiFgjyFM8uPG6qukjKaYmxz0xAoxLiqDo=</ds:SignatureValue>\n
<ds:KeyInfo><ds:X509Data><ds:X509SubjectName>O=Internet Widgits Pty Ltd,ST=Some-State,C=AU</ds:X509SubjectName><ds:X509Certificate>MIIF0zCCA4egAwIBAgIUAT4xgNPYSFFlwlKzPodugR0Tle0wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwNTE1MTEwNDM1WhcNMzQwNTEzMTEwNDM1WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnfy9BZKj9nTHAoapXCtsv/6KTNu43pV8PV8HxSvmldpVMytV4XudqdQvuve1pYH9L1zKezs0GQ5o/hpgfftc2B3p2kNAaKYRyhoKjZVKomwrjRcVkB96C+aB6QjoNXFNZFYWKOMS+kYTF+kic55jL8yJtVeTpz3hGNmm1Np1vqa6jptgc8dSDC5ig1WsWSrX6AgWTseSQwggp44bBG90lciiC0v/W8wBo1LDuUEBK5DE71ByQL4rtiw8UF4OFBsWs8Ge13PG4n2umSM0fu5CcD0Dld9ec/sLHUyP5zMd8i4FDYMVGJRwBVpBUv0fQ2/1LjrHT5Plgcw5OA6yG6RfFh/+cBQbRCT+U8TNftp893L5/fuVSH/n+c5TCWkzueMww/9awgM90hX1wukNSczKcQxvgF4am6Sv6y9XtO3+wQN9GMkKbChLkcD6yhHUatisnJcr8QT+MtG0Vx3sT1OEtnJuqraNlB7VcE8QUrRrV00iEQ1XeJK9ASJdB44sGjfcceDc4byFSbevz3s0qN6qQ9s4uJO0Rf0KniODgiEBQ/lHwRMFX8g2a8lE2Ms6XJOfMT5xw6MHvnXu/woz2T+lGWA4o/ugcc3ln6tzYgqhD7NJT1pOWPW3aUeEia59DHHpcX1AYoXwCa8892cEeC/KYsOuN55jX+lp74fcbGc6vCsCAwEAAaNTMFEwHQYDVR0OBBYEFAAvdHS4yMWYEB0ANJW8KELjd1c+MB8GA1UdIwQYMBaAFAAvdHS4yMWYEB0ANJW8KELjd1c+MA8GA1UdEwEB/wQFMAMBAf8wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQANXSXIDUThJIxkwyNuLIdt12TFf5K+WoZ0dX8WOosVwt9AwsklM12AjcVecsEo5UUPSoMEK/jJCjooSz2T6IBQE89a9FEeiQRdIunfZlrUJdmMwRXJml4sVn/+qMmNSyyzHBG4ivcJJRWCGW/iV91jAx+/jf+qACTvH4fwfovs868uRBpSON6AKyWuoaTiCnmSop0PdlNc5HEUfoMfoRfTZxyaiEgbXXOgHZ8CXAqvelaSCSWxhPsrF7KHBgi/G9rloucuS6sewQ46GxKx0ozrsGmnHoTFCp87QKcXpAb468kuOwIreb9jTzZjeEMloJ+W9H73WYnGD9/gAjCsLgCH2cvq635zaWa9d/+oH7PXJXArmxlhkxfXUK49lXkBMzEFSA1M2PMpjNVGU1HfbKUhXiWDqABMzLOSCcFkPLpmoSpmPQAb0XT2WbjTBETwe0tT2M9Pzs2MZxMgtdy1Q1+uWlD92S9X5/Km3G+JGAGqbNe+Vl/yyOvWAUJqwbgADIwhEawbcCfUiNH/LVjHhbTW8feolST/aeYKrpnLDuHXIajE/9CSpSfZjJ2u+Sh6/gGDlDCnXMI8INBbuiODbbbWYbTXZLzM0uUo4cyfqi9fU5GJ2xmSMwH9KwZBC7JrDGQP3Ilqz4OvrGMJ0MZnqskMuKWFEHJfCWKVNwxu6Eo9mg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="pfxddb7c393-9632-d3e0-0605-9e03d7f8c11a"></ds:Object></ds:Signature>

According to https://www.openssl.org/docs/man3.3/man7/RSA-PSS.html :
"Signing and verification is similar to the RSA algorithm except the padding mode is always PSS"

How do we set this padding mode?

From the docs of openssl_public_encrypt():

 * @param int $padding [optional] <p>
 * <i>padding</i> can be one of
 * <b>OPENSSL_PKCS1_PADDING</b>,
 * <b>OPENSSL_SSLV23_PADDING</b>,
 * <b>OPENSSL_PKCS1_OAEP_PADDING</b>,
 * <b>OPENSSL_NO_PADDING</b>.

None of those are working. But they all do not seem to be PSS, right?

However openssl on the command line seems to support it:

 -pkeyopt rsa_padding_mode:pss

See: https://stackoverflow.com/a/44430091/351893

So how can the PSS padding mode be used in openssl_public_encrypt() ?

@robrichards
Copy link
Owner

robrichards commented May 15, 2024 via email

@jochen-jung
Copy link
Author

I can pass 6 as the padding type. But it is still invalid.

The I guess in addition we need, what this code is doing:

$this->rsaPrivateKey->withMGFHash('sha256');

@tvdijen
Copy link
Contributor

tvdijen commented May 15, 2024

@robrichards I don't think the padding-option is used at all for signing.. We only pass it to the encryption/decryption methods. ext-openssl doesn't seem to support padding for signatures.

@redsunline
Copy link

redsunline commented Aug 20, 2024

I created the keys using these commands from https://crypto.stackexchange.com/q/110953:

# create private key in RSA format
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

# create self-signed certificate with RSA-PSS signing algorithm from this private key
openssl req -x509 -new -key private_key.pem -out certificate.pem -days 3650 -sha256 \
    -sigopt rsa_padding_mode:pss \
    -sigopt rsa_pss_saltlen:32

# optionally create public key in RSA format from certificate
openssl x509 -pubkey -noout -in certificate.pem > public_key.pem

This is then the XML signed with those keys (using my solution):

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/><ds:Reference URI="#pfx7d238ab8-e967-e77f-5c61-84c028225050"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>HW/oIFNuLHgZ/Xrruu4q2GczyUxXwOtJxs4BqNT0/2A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>CboXYydFJkUBpfE3GTQVpGQPZ4DX5G4m37xzKxAcCLV/fEmbOXX286dkXtyZ23BQKi4zg68kDWLzHpLkj4u6EkCGW4R+cRH67BcuDiXRmBIvwHF/R0vOyzOzzYuTQ2cwU/oN/qvOy6co0+4fnruWsLCa3/oCqCprfrn/qPPGwrEFIunyAm54rHqmRaZuhrBv7kSG9QlnOBwBZHEX7PZinbnwE9ZeBmcoI6IzfapMxaZ/aDBR1n9Z9o2FZQT9Bmr/vuj8DflyX1szsmCtiM4ybpZ07X2VEUlMiUTzoaaS+fFnCr3YhcX6uHXm6x7ci/AcGcFjP7aFj0tU2f2jOP17+wNtldCiHeCboxlfC0GET5cBVlaWK9u/B+nUMigwDzqvfO75/sbeC3ObVdfo+GzpnqZVomxkK7I65UIwD0s8wCuzEYiP8zJJiZa7g3SY6CIp7ze00E+dD3zRdNsDAp4iK3ftueqjsR8H0PGnHr0htZNIACneIcbAnwBbLemQp8nuNu49HrHFLKAOAgeNFx/fSwmcUKaxoh+d6zH1Q+7pfWtV0mvdZWn/dY+3lC0B+5WeLm8SnAHY6fbnbnzUfX2pqbq8xlefTGMh3d/uT73iXXe0XtnnHDqgfeRdY39xpToYyAwPBnYaT3Bgb1sfj9FLu1XweVdVtL00+nt9NkwN8ok=</ds:SignatureValue>\n
<ds:KeyInfo><ds:X509Data><ds:X509SubjectName>O=Internet Widgits Pty Ltd,L=Kaiserslautern,ST=Some-State,C=DE</ds:X509SubjectName><ds:X509Certificate>MIIGBTCCA7mgAwIBAgIUDSe0QTZwA43YHLXeSdeb1cpqVJUwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMF4xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMRcwFQYDVQQHDA5LYWlzZXJzbGF1dGVybjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTI0MDUxNTA3MDkxN1oXDTM0MDUxMzA3MDkxN1owXjELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxFzAVBgNVBAcMDkthaXNlcnNsYXV0ZXJuMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJMdQqj5en5KZjfGrCxcVs1+BuwH1NYnXt2zhxZOq/lpIcWSKh+o5ZPndlbxWshv7w6UUrdnz/JJiywA/XpRGU01kbxgTXE24tofxccpPAQe5jmMQSO/ocKnkSKi10R/JBoK5Py+0L20jfNMO5EZWkhfCHHp6hxHjSN8fievui2s/pkSpnouM/+tt3HgMXnpqNAnOGcyzSrNM91UZw2cio9tFSKUq4cHyPj4ioE0S4j4Kk0CSl62GtH4IPe/kaPdcjBTrWerMsY6SiCRdJj2uQprm5omANpU/yaW4uPeStxPaJLQEOsU4s9TdI1m6315anhor1IMtFQhvWo3qqpC1AigRsnLSoka49ndnPzR/+gIKpOf4HAJWAeF3humPV43CkAXpGCYuxsmWeO8nl0CWamhoFf64X8sFMpg7OQ22bBBUr9C7G21IqAisFLjI5dyuXsJC0eewDp6pxBJJl0+KojhP2Bbr3iogW+1nZMbkl7tIpM78P4gPVE+7A1eITBt+jyE1vuSnMquv6j6kmS2W/6/7mvRAdDCPPxZZl07De0TbRpVjCpuXwz3iDCWdg8SCo2vhqOaTfb+clBDUB7a01bPmHlUKsAVpRbQ7nWfjCyzjBFDXjn+/egtAzAPBbjBz4xpoa1+nTtWFHLLTXkSUKSu44fJ2hzdbrsjJ7rCnFVQIDAQABo1MwUTAdBgNVHQ4EFgQUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwHwYDVR0jBBgwFoAUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwDwYDVR0TAQH/BAUwAwEB/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggIBABaeceH5gxgIhym+2g3dYk2N/HKf/vCug/sfGD5qfulP3eY+nRl0A0rqukhA8LE7CcAL+JVnfjPK4tSRKrxI+tJlf6ZTijJPhWhS1X2i1lJ/VYJZHUN5/MAxsOVlTSLYPl0yGiecRV2+coxNUoiXNHt8s/bT54YnX3VA0E47aRfCV8+aSNdZCU+xWVWYjaK67eQSeJtiUe+pNwwwIqOfsQnpNSRxGuOj0gowZIa+b0IXJ89Uii4YNQFmQGLDI/iPLpUUaEQkTzN9yiFJUQrk/TXnFRyo9nV74nh1BlgXhcBfRVb0p8wOHlusOu4SYohR5Lap9MsHkDNA8iH0GxFxhyUw64hgB5I0ubDCXc01YJ+FGWzzwoPxdW43uWu+objNTP2yOWWt9pg9C4XVCIad7Gtd7wAxxMb/ORZ2mBsXfGAZElLdbteo/R3nad/C5eBusoCNhUOSx/HwSHxeL1SjWyz34LgvJJ/dgfUdNzoSSnY4KB9BHFQmLHB8Ej/LVbUF8hsE0WUxspelbrs6KPujbF7kmjvwAqLDF+MDwp2TAJCO1zQrLwm67W7kLFkW+rMAfEwILvCAygU6JMrRSqyGJAz+W2nCq8a7AFaTa95KmUs2W/jVOY3NVVIDFRrL8rcw9D+SdcZ6pLMT9gqBqrRoiNOV3DBtdIUFWy5ttdmNdjjX</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="pfx7d238ab8-e967-e77f-5c61-84c028225050"/></ds:Signature>

Checking the signature on https://tools.chilkat.io/xmlDsigVerify.cshtml it says that it is valid.

Using your code the XML is:

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/>
  <ds:Reference URI="#pfx381dab67-95f0-a42b-aaf8-c7c30d7cf772"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iQUXSsDYJZcwby0sVepIvSSg8Xkf9S3Jo7VDqU8fcTg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue/>
<ds:KeyInfo><ds:X509Data><ds:X509SubjectName>O=Internet Widgits Pty Ltd,L=Kaiserslautern,ST=Some-State,C=DE</ds:X509SubjectName><ds:X509Certificate>MIIGBTCCA7mgAwIBAgIUDSe0QTZwA43YHLXeSdeb1cpqVJUwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMF4xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMRcwFQYDVQQHDA5LYWlzZXJzbGF1dGVybjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTI0MDUxNTA3MDkxN1oXDTM0MDUxMzA3MDkxN1owXjELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxFzAVBgNVBAcMDkthaXNlcnNsYXV0ZXJuMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJMdQqj5en5KZjfGrCxcVs1+BuwH1NYnXt2zhxZOq/lpIcWSKh+o5ZPndlbxWshv7w6UUrdnz/JJiywA/XpRGU01kbxgTXE24tofxccpPAQe5jmMQSO/ocKnkSKi10R/JBoK5Py+0L20jfNMO5EZWkhfCHHp6hxHjSN8fievui2s/pkSpnouM/+tt3HgMXnpqNAnOGcyzSrNM91UZw2cio9tFSKUq4cHyPj4ioE0S4j4Kk0CSl62GtH4IPe/kaPdcjBTrWerMsY6SiCRdJj2uQprm5omANpU/yaW4uPeStxPaJLQEOsU4s9TdI1m6315anhor1IMtFQhvWo3qqpC1AigRsnLSoka49ndnPzR/+gIKpOf4HAJWAeF3humPV43CkAXpGCYuxsmWeO8nl0CWamhoFf64X8sFMpg7OQ22bBBUr9C7G21IqAisFLjI5dyuXsJC0eewDp6pxBJJl0+KojhP2Bbr3iogW+1nZMbkl7tIpM78P4gPVE+7A1eITBt+jyE1vuSnMquv6j6kmS2W/6/7mvRAdDCPPxZZl07De0TbRpVjCpuXwz3iDCWdg8SCo2vhqOaTfb+clBDUB7a01bPmHlUKsAVpRbQ7nWfjCyzjBFDXjn+/egtAzAPBbjBz4xpoa1+nTtWFHLLTXkSUKSu44fJ2hzdbrsjJ7rCnFVQIDAQABo1MwUTAdBgNVHQ4EFgQUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwHwYDVR0jBBgwFoAUSUwDdIC5nIATqBuxpkCZ4QSJ6uUwDwYDVR0TAQH/BAUwAwEB/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggIBABaeceH5gxgIhym+2g3dYk2N/HKf/vCug/sfGD5qfulP3eY+nRl0A0rqukhA8LE7CcAL+JVnfjPK4tSRKrxI+tJlf6ZTijJPhWhS1X2i1lJ/VYJZHUN5/MAxsOVlTSLYPl0yGiecRV2+coxNUoiXNHt8s/bT54YnX3VA0E47aRfCV8+aSNdZCU+xWVWYjaK67eQSeJtiUe+pNwwwIqOfsQnpNSRxGuOj0gowZIa+b0IXJ89Uii4YNQFmQGLDI/iPLpUUaEQkTzN9yiFJUQrk/TXnFRyo9nV74nh1BlgXhcBfRVb0p8wOHlusOu4SYohR5Lap9MsHkDNA8iH0GxFxhyUw64hgB5I0ubDCXc01YJ+FGWzzwoPxdW43uWu+objNTP2yOWWt9pg9C4XVCIad7Gtd7wAxxMb/ORZ2mBsXfGAZElLdbteo/R3nad/C5eBusoCNhUOSx/HwSHxeL1SjWyz34LgvJJ/dgfUdNzoSSnY4KB9BHFQmLHB8Ej/LVbUF8hsE0WUxspelbrs6KPujbF7kmjvwAqLDF+MDwp2TAJCO1zQrLwm67W7kLFkW+rMAfEwILvCAygU6JMrRSqyGJAz+W2nCq8a7AFaTa95KmUs2W/jVOY3NVVIDFRrL8rcw9D+SdcZ6pLMT9gqBqrRoiNOV3DBtdIUFWy5ttdmNdjjX</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="pfx381dab67-95f0-a42b-aaf8-c7c30d7cf772"></ds:Object></ds:Signature>

And checking that on https://tools.chilkat.io/xmlDsigVerify.cshtml it says that it is invalid.

How were you able to create such an XML file structure? Where the object has an Id that is linked to the Reference and passes the Digest verification? And as far as I can see, the certificate is currently failing the verification.
I am currently facing the same problem with signing a document in the RSASSA-PSS format and cannot achieve a result that passes the verification. As soon as I link the reference to the object, I get a Digest error, and the signature itself fails the verification.

$objDSig = new XMLSecurityDSig();

$objDSig->addObject($dip,null,null);

$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$objDSig->addReference(
 $xmlDoc,
 XMLSecurityDSig::SHA256,
 array('http://www.w3.org/2000/09/xmldsig#enveloped-signature')
);

$objKey = new XMLSecurityKey(XMLSecurityKey::RSASSA_PSS, array('type'=>'private'));
$objKey->loadKey($this->primary_key, TRUE);
$objDSig->sign($objKey);
$objDSig->add509Cert(file_get_contents($this->certificate), true, false, ['subjectName'=>true]);
$objDSig->appendSignature($xmlDoc->documentElement);

@tvdijen
Copy link
Contributor

tvdijen commented Aug 20, 2024

It's just not possible with ext-openssl.. There's an open feature request at PHP for many years, but nobody has even touched it.

@redsunline
Copy link

redsunline commented Aug 20, 2024

It's just not possible with ext-openssl.. There's an open feature request at PHP for many years, but nobody has even touched it.

Yes, that's why I'm using the phpseclib library and jochen-jung code. I've already realized that ext-openssl doesn't support this.
As it seemed to me, he managed to sign the XML document in this format using phpseclib.

@dx-bhesse
Copy link

How were you able to create such an XML file structure?

Generating an enveloping signature seems to be possible by using the return value of addObject() as argument for addReference() instead of the document itself:
$objectNode=$objDSig->addObject($xmlDocument->documentElement);
$objDSig->addReference($objectNode,..
...and then the final signature with the object embedded can be fetched liked this after calling sign() (and maybe also add509Cert()):
$xml=$objDSig->sigNode->ownerDocument->saveXML($objDSig->sigNode);
(Although I don't know whether that would be the intended route)

https://github.com/robrichards/xmlseclibs/pull/262/files#diff-62c1d7e3f1633d58ab714af8e670493193a42f3f302cb5e662881dbe794eee92R374
What i noticed here: On the phpseclib version composer fetched here (v3.0.42) the functions withPadding/withHash/withMGFHash do not modify $this->rsaPrivateKey but return a modified copy instead and i had to adjust that part to get a valid signature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants