diff --git a/nss-3.124-allow-hash-override-pss.patch b/nss-3.124-allow-hash-override-pss.patch index a63b4f1..9e5443a 100644 --- a/nss-3.124-allow-hash-override-pss.patch +++ b/nss-3.124-allow-hash-override-pss.patch @@ -3,10 +3,34 @@ # Date 1781635239 25200 # Tue Jun 16 11:40:39 2026 -0700 # Branch NSS_3_124_BRANCH -# Node ID 7cc6c51cdb9e8deaf246b87856517e0c1a21ffb3 +# Node ID c85110e0f7ba48ef44c9b535a9c3bccf78f8416d # Parent 4b0e3f33a2e76a77e36b435eb3cc1eb06f14249d nss-3.124-allow-hash-override-pss.patch +diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c +--- a/cmd/certutil/certutil.c ++++ b/cmd/certutil/certutil.c +@@ -228,16 +228,20 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP + return SECFailure; + } + + /* Change cert type to RSA-PSS, if desired. */ + if (pssCertificate) { + /* force a PSS signature. We can do a PSS signature with an + * RSA key, this will force us to generate a PSS signature */ + signAlgTag = SEC_OID_PKCS1_RSA_PSS_SIGNATURE; ++ /* we are reusing an algorithm id, prevent the assert when we try ++ * to set the parameters of that algorithm id */ ++ spki->algorithm.parameters.data = NULL; ++ spki->algorithm.parameters.len = 0; + /* override the SPKI algorithm id. */ + rv = SEC_CreateSignatureAlgorithmID(arena, &spki->algorithm, + signAlgTag, hashAlgTag, + NULL, NULL, pubk); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + SECKEY_DestroySubjectPublicKeyInfo(spki); + SECU_PrintError(progName, "unable to set algorithm ID"); diff --git a/gtests/cryptohi_gtest/cryptohi_unittest.cc b/gtests/cryptohi_gtest/cryptohi_unittest.cc --- a/gtests/cryptohi_gtest/cryptohi_unittest.cc +++ b/gtests/cryptohi_gtest/cryptohi_unittest.cc @@ -162,6 +186,38 @@ diff --git a/gtests/cryptohi_gtest/cryptohi_unittest.cc b/gtests/cryptohi_gtest/ SEC_OID_SHA224, SEC_OID_SHA256, SEC_OID_SHA384, SEC_OID_SHA512), ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1, +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -2876,21 +2876,23 @@ sec_DecodeRSAPSSParams(PLArenaPool *aren + SECKEYRSAPSSParams pssParams; + SECOidTag hashAlg; + SECOidTag maskHashAlg; + unsigned long saltLength; + unsigned long trailerField; + SECStatus rv; + + PORT_Memset(&pssParams, 0, sizeof(pssParams)); +- rv = SEC_QuickDERDecodeItem(arena, &pssParams, +- SECKEY_RSAPSSParamsTemplate, +- params); +- if (rv != SECSuccess) { +- return rv; ++ if (params && (params->len != 0)) { ++ rv = SEC_QuickDERDecodeItem(arena, &pssParams, ++ SECKEY_RSAPSSParamsTemplate, ++ params); ++ if (rv != SECSuccess) { ++ return rv; ++ } + } + + if (pssParams.hashAlg) { + hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else { + hashAlg = SEC_OID_SHA1; /* default, SHA-1 */ + } + diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -348,6 +404,44 @@ diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); if (!hashAlgItem) { return NULL; +@@ -1086,17 +1095,16 @@ SEC_CreateSignatureAlgorithmParameters(P + const SECItem *params, + const SECKEYPrivateKey *key) + { + PORT_SetError(0); + switch (signAlgTag) { + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + return SEC_CreateRSAPSSParameters(arena, result, + hashAlgTag, params, key, NULL); +- + default: + if (params == NULL) + return NULL; + if (result == NULL) + result = SECITEM_AllocItem(arena, NULL, 0); + if (result == NULL) { + return NULL; + } +@@ -1112,16 +1120,19 @@ SEC_CreateVerifyAlgorithmParameters(PLAr + SECOidTag signAlgTag, + SECOidTag hashAlgTag, + const SECItem *params, + const SECKEYPublicKey *key) + { + PORT_SetError(0); + switch (signAlgTag) { + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: ++ if ((hashAlgTag == SEC_OID_UNKNOWN) && ((params == NULL) || (params->len == 0))){ ++ return NULL; ++ } + return SEC_CreateRSAPSSParameters(arena, result, + hashAlgTag, params, NULL, key); + + default: + if (params == NULL) + return NULL; + if (result == NULL) + result = SECITEM_AllocItem(arena, NULL, 0); diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh diff --git a/nss.spec b/nss.spec index b6f5499..e248e40 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 4 +%global baserelease 5 %global nss_release %baserelease # release number between nss and nspr are different. This typically # happens with a new version of nss was release, but nspr was not updated @@ -1199,6 +1199,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Jun 22 2026 Bob Relyea - 3.124.0-5 +- fix pss issues (again) + * Tue Jun 16 2026 Bob Relyea - 3.124.0-4 - fix pkcs12 defaults - fix pss issues