Verify of certificate chain using RSA-PSS keys fails starting with 1.1.1h #13931
Description
We have a two-level CA using RSA-PSS keys throughout. On a system with OpenSSL 1.1.1h verification of this CA's end-entity certificates fails with "lookup: unable to get local issuer certificate". The same certificate chain verifies OK with older releases up to and including 1.1.1g. OpenSSL 1.1.1i and 3.0.0-alpha1 also report the same error.
I can reproduce this issue with fresh builds of 1.1.1g and 1.1.1h on Linux using the following CONF files and commands:
# rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Verify with OpenSSL 1.1.1g:
$ openssl version
OpenSSL 1.1.1g 21 Apr 2020
$ openssl verify -show_chain -CApath CA user1_cert.pem
user1_cert.pem: OK
Chain:
depth=0: C = DE, O = Test Org, CN = Test User (untrusted)
depth=1: C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
depth=2: C = DE, O = Test Org, CN = Test RSA PSS Root-CA
Verify with OpenSSL 1.1.1h:
$ openssl version
OpenSSL 1.1.1h 22 Sep 2020
$ openssl verify -show_chain -CApath CA user1_cert.pem
C = DE, O = Test Org, CN = Test User
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
If I generate the intermediate certificate with a plain RSA key instead of RSA-PSS then the error occurs one level higher:
$ openssl verify -show_chain -CApath CA user1_cert.pem
C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
error 2 at 1 depth lookup: unable to get issuer certificate
error user1_cert.pem: verification failed
Using plain RSA for both CA certificates the chain verifies OK with all OpenSSL versions.