Mbed TLS fails to parse a certificate containing a public key with type rsassaPss

[PLAJ-se]

Summary

mbedtls_x509_crt_parse_file fails when the public key in a certificate is an RSASSA-PSS public key (OID 1.2.840.113549.1.1.10). The error is -0x3c80 (MBEDTLS_ERR_PK_UNKNOWN_PK_ALG).

System information

Mbed TLS version (number or commit id): 3.6.5
Operating system and version: Ubuntu 24.04
Configuration (if not default, please attach mbedtls_config.h): default configuration
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc, RSASSA-PSS is enabled (#define MBEDTLS_X509_RSASSA_PSS_SUPPORT)

Expected behavior

mbedtls_x509_crt_parse_file succeeds to parse certificates containing an RSASSA-PSS key.

Actual behavior

mbedtls_x509_crt_parse_file fails with -0x3c80 (MBEDTLS_ERR_PK_UNKNOWN_PK_ALG).

Steps to reproduce

The simplest way I've found to generate a certificate containing an RSASSA-PSS key is to use a TPM2, and the openssl-tpm2 provider:

openssl genpkey -provider tpm2 -provider default -algorithm RSA-PSS -pkeyopt bits:2048 -pkeyopt digest:sha256 -out /tmp/tpm-rsapss.priv
openssl req -provider tpm2 -provider default -key /tmp/tpm-rsapss.priv -new -sha256 -subj '/CN=rsapss key' -out /tmp/tpm-rsapss.cert.pem -x509

Alternatively, the following certificate can be used:

-----BEGIN CERTIFICATE-----
MIIDpzCCAlugAwIBAgIUHCV2UstTIwvpPilxygSEYp1YNaQwQQYJKoZIhvcNAQEK
MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
AKIDAgEgMBUxEzARBgNVBAMMCnJzYXBzcyBrZXkwHhcNMjYwMTIzMDk1ODQ3WhcN
MjYwMjIyMDk1ODQ3WjAVMRMwEQYDVQQDDApyc2Fwc3Mga2V5MIIBVjBBBgkqhkiG
9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFl
AwQCAQUAogMCASADggEPADCCAQoCggEBANJzDzxI84qwRbWD/lLV38uhIybJOsng
PiYXyGvVCkEVi21n/LWn74OD64wAhruloUbXUZwps89icDx451s9mNlx1yiD7+T9
SuvKxzdGd5ahh3VQT3YsSOWSlAwSKMCJww/royL0kLF+LbRtYryAcjOlTd8qPoph
QrHfO5Mm76mZR8ql5h2EqqPfBpxgaWb55nIdtt/MCXgGjoFoePigABWCXDxDJqiZ
Jxu25yG5g5w1hbKDLRgGH8Fjo/xt/pFDHz3//zl+QYo2VVI2zmAGEdh4q6FmmJ+Y
N87iZeUtG43dYjD54TVWrLcoWqAN4kSwzDShzxgSg6zyahmYc/g1u8UCAwEAAaNT
MFEwHQYDVR0OBBYEFA1YZtH7sQTaeqO87/6d77qtRebKMB8GA1UdIwQYMBaAFA1Y
ZtH7sQTaeqO87/6d77qtRebKMA8GA1UdEwEB/wQFMAMBAf8wQQYJKoZIhvcNAQEK
MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
AKIDAgEgA4IBAQAxczueYfIbe8QBQg+hxFhyrQsc3HfqNYFtXe1wDA2A/VScqKvZ
xdE7cXM6G/yXYqpe0r573rf0KikJbXyb/uSEew/DIOMCmHPHSVJIXYw1kKs9o/iq
RYRaZx6yH5MKx/N6cIpq9mWkxKN+mroIOBCUL+QXJJx375p/iZlJgK6iKEJkcBDb
0AHWPv/D6WNA1zxXFM1Qk2InD9ynzsXMp4QGOAJuRilR0t45Tw9aSNEc9+ahsFZu
dO9bDO+fNKMgB5jvwWPeoOjtuxudrl6R966v5OGUt7lPb3CZYWb9VQtTr052BFST
war6Q6JfKHUtZCvT0viKdhXvIX2hQUTazQTT
-----END CERTIFICATE-----

The issue is demonstrated by the cert_app example program (programs/x509/cert_app):

$ cert_app mode=file filename=/tmp/tpm-rsapss.cert.pem
  . Loading the CA root certificate ... ok (1 skipped)

  . Loading the certificate(s) ... failed
  !  mbedtls_x509_crt_parse_file returned -15488

Additional information

To fix this, multiple changes seems to be necessary (but I'm not sure they're sufficient to manage all cases):

• the rsassaPss key type must be added to oid_pk_alg[], e.g. with

  {
      OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS,          "rsassaPss",        "RSASSA-PSS"),
      MBEDTLS_PK_RSASSA_PSS,
  },

• in pk_get_pk_alg, parameters should be parsed for RSASSA-PSS keys (or maybe simply ignored, since apart from the padding, they are not defined in mbedtls_rsa_context?)

• in mbedtls_pk_info_from_type, the MBEDTLS_PK_RSASSA_PSS type should also be handled (possibly the same way as for MBEDTLS_PK_RSA)

• in mbedtls_pk_parse_subpubkey, the MBEDTLS_PK_RSASSA_PSS type should be handled (possibly the same way as MBEDTLS_PK_RSA, to the padding exception)

I've encountered this issue on v3.6.5, but it seems to also be applicable on the builtin driver of TF-PSA-Crypto v1.0.0

There is a similar issue in x509write_csr_der_internal: the signature OID is systematically the PKCS#1 v1.5 one.
This is probably also the case in mbedtls_x509write_crt_der (and basically everywhere mbedtls_asn1_write_algorithm_identifier_ext is called)