Resolves: RHEL-182305

- fix pss issues (again)
2026-06-22 13:13:33 -07:00 · 2026-06-22 13:13:33 -07:00 · df2fdcac40
commit df2fdcac40
parent d0f5c81f89
2 changed files with 99 additions and 2 deletions
--- a/nss-3.124-allow-hash-override-pss.patch
+++ b/nss-3.124-allow-hash-override-pss.patch
@ -3,10 +3,34 @@
 # Date 1781635239 25200
 #      Tue Jun 16 11:40:39 2026 -0700
 # Branch NSS_3_124_BRANCH
-# Node ID 7cc6c51cdb9e8deaf246b87856517e0c1a21ffb3
+# Node ID c85110e0f7ba48ef44c9b535a9c3bccf78f8416d
 # Parent  4b0e3f33a2e76a77e36b435eb3cc1eb06f14249d
 nss-3.124-allow-hash-override-pss.patch

+diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
+--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
+@@ -228,16 +228,20 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
+         return SECFailure;
+     }
+ 
+     /* Change cert type to RSA-PSS, if desired. */
+     if (pssCertificate) {
+         /* force a PSS signature. We can do a PSS signature with an
+          * RSA key, this will force us to generate a PSS signature */
+         signAlgTag = SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
+        /* we are reusing an algorithm id, prevent the assert when we try
+         * to set the parameters of that algorithm id */
+        spki->algorithm.parameters.data = NULL;
+        spki->algorithm.parameters.len = 0;
+         /* override the SPKI algorithm id. */
+         rv = SEC_CreateSignatureAlgorithmID(arena, &spki->algorithm,
+                                             signAlgTag, hashAlgTag,
+                                             NULL, NULL, pubk);
+         if (rv != SECSuccess) {
+             PORT_FreeArena(arena, PR_FALSE);
+             SECKEY_DestroySubjectPublicKeyInfo(spki);
+             SECU_PrintError(progName, "unable to set algorithm ID");
 diff --git a/gtests/cryptohi_gtest/cryptohi_unittest.cc b/gtests/cryptohi_gtest/cryptohi_unittest.cc
 --- a/gtests/cryptohi_gtest/cryptohi_unittest.cc
 +++ b/gtests/cryptohi_gtest/cryptohi_unittest.cc
@ -162,6 +186,38 @@ diff --git a/gtests/cryptohi_gtest/cryptohi_unittest.cc b/gtests/cryptohi_gtest/
                                          SEC_OID_SHA224, SEC_OID_SHA256,
                                          SEC_OID_SHA384, SEC_OID_SHA512),
                        ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1,
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
+@@ -2876,21 +2876,23 @@ sec_DecodeRSAPSSParams(PLArenaPool *aren
+     SECKEYRSAPSSParams pssParams;
+     SECOidTag hashAlg;
+     SECOidTag maskHashAlg;
+     unsigned long saltLength;
+     unsigned long trailerField;
+     SECStatus rv;
+ 
+     PORT_Memset(&pssParams, 0, sizeof(pssParams));
+-    rv = SEC_QuickDERDecodeItem(arena, &pssParams,
+-                                SECKEY_RSAPSSParamsTemplate,
+-                                params);
+-    if (rv != SECSuccess) {
+-        return rv;
+    if (params && (params->len != 0)) {
+        rv = SEC_QuickDERDecodeItem(arena, &pssParams,
+                                    SECKEY_RSAPSSParamsTemplate,
+                                    params);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+     }
+ 
+     if (pssParams.hashAlg) {
+         hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg);
+     } else {
+         hashAlg = SEC_OID_SHA1; /* default, SHA-1 */
+     }
+ 
 diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
 --- a/lib/cryptohi/secsign.c
 +++ b/lib/cryptohi/secsign.c
@ -348,6 +404,44 @@ diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
                                              SEC_ASN1_GET(SECOID_AlgorithmIDTemplate));
             if (!hashAlgItem) {
                 return NULL;
+@@ -1086,17 +1095,16 @@ SEC_CreateSignatureAlgorithmParameters(P
+                                        const SECItem *params,
+                                        const SECKEYPrivateKey *key)
+ {
+     PORT_SetError(0);
+     switch (signAlgTag) {
+         case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+             return SEC_CreateRSAPSSParameters(arena, result,
+                                               hashAlgTag, params, key, NULL);
+-
+         default:
+             if (params == NULL)
+                 return NULL;
+             if (result == NULL)
+                 result = SECITEM_AllocItem(arena, NULL, 0);
+             if (result == NULL) {
+                 return NULL;
+             }
+@@ -1112,16 +1120,19 @@ SEC_CreateVerifyAlgorithmParameters(PLAr
+                                     SECOidTag signAlgTag,
+                                     SECOidTag hashAlgTag,
+                                     const SECItem *params,
+                                     const SECKEYPublicKey *key)
+ {
+     PORT_SetError(0);
+     switch (signAlgTag) {
+         case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+            if ((hashAlgTag == SEC_OID_UNKNOWN) && ((params == NULL) || (params->len == 0))){
+                return NULL;
+            }
+             return SEC_CreateRSAPSSParameters(arena, result,
+                                               hashAlgTag, params, NULL, key);
+ 
+         default:
+             if (params == NULL)
+                 return NULL;
+             if (result == NULL)
+                 result = SECITEM_AllocItem(arena, NULL, 0);
 diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
 --- a/tests/cert/cert.sh
 +++ b/tests/cert/cert.sh
--- a/nss.spec
+++ b/nss.spec
@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 4
+%global baserelease 5
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different. This typically
@ -1175,6 +1175,9 @@ fi


 %changelog
+* Mon Jun 22 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-5
+- full fix to pss issues
+
 * Tue Jun 16 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-4
 - fix pkcs12 defaults
 - fix pss issues