Support RSA PKCS#1 signatures with absent parameters

ctz · ctz · commit 16abda163f5a · 2025-05-07T15:14:06.000Z
RFC4055 says on sha256WithRSAEncryption and company:

&gt;   When any of these four object identifiers appears within an
&gt;   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
&gt;   MUST accept the parameters being absent as well as present.

The latter clause is implemented in this commit.

The algorithm identifiers live here rather than pki-types, as they
_must not_ be used to originate new certificates.  Putting them in
pki-types would mean they appear in a public API, whereas here they
are kept private and restricted to verifying existing signatures.
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,6 +34,7 @@ include = [
     "src/cert.rs",
     "src/crl/mod.rs",
     "src/crl/types.rs",
+    "src/data/",
     "src/der.rs",
     "src/end_entity.rs",
     "src/error.rs",
diff --git a/src/aws_lc_rs_algs.rs b/src/aws_lc_rs_algs.rs
@@ -124,6 +124,66 @@ pub static RSA_PKCS1_2048_8192_SHA512: &dyn SignatureVerificationAlgorithm = &Aw
     verification_alg: &signature::RSA_PKCS1_2048_8192_SHA512,
 };
 
+/// RSA PKCS#1 1.5 signatures using SHA-256 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA256`] covers
+/// the present case.
+pub static RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &AwsLcRsAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha256-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA256,
+    };
+
+/// RSA PKCS#1 1.5 signatures using SHA-384 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA384`] covers
+/// the present case.
+pub static RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &AwsLcRsAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha384-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA384,
+    };
+
+/// RSA PKCS#1 1.5 signatures using SHA-512 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA512`] covers
+/// the present case.
+pub static RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &AwsLcRsAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha512-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA512,
+    };
+
 /// RSA PKCS#1 1.5 signatures using SHA-384 for keys of 3072-8192 bits.
 pub static RSA_PKCS1_3072_8192_SHA384: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
     public_key_alg_id: alg_id::RSA_ENCRYPTION,
diff --git a/src/data/alg-rsa-pkcs1-sha256-absent-params.der b/src/data/alg-rsa-pkcs1-sha256-absent-params.der
@@ -0,0 +1 @@
+	*�H��
diff --git a/src/data/alg-rsa-pkcs1-sha384-absent-params.der b/src/data/alg-rsa-pkcs1-sha384-absent-params.der
@@ -0,0 +1 @@
+	*�H��
diff --git a/src/data/alg-rsa-pkcs1-sha512-absent-params.der b/src/data/alg-rsa-pkcs1-sha512-absent-params.der
@@ -0,0 +1 @@
+	*�H��
diff --git a/src/lib.rs b/src/lib.rs
@@ -97,7 +97,9 @@ pub mod ring {
 
     #[cfg(feature = "alloc")]
     pub use super::ring_algs::{
-        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
+        RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
+        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
         RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
         RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
@@ -109,7 +111,9 @@ pub mod aws_lc_rs {
     pub use super::aws_lc_rs_algs::{
         ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
         ECDSA_P521_SHA256, ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519,
-        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
+        RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
+        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
         RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
         RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
@@ -136,6 +140,12 @@ pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorit
     #[cfg(all(feature = "ring", feature = "alloc"))]
     ring::RSA_PKCS1_2048_8192_SHA512,
     #[cfg(all(feature = "ring", feature = "alloc"))]
+    ring::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
+    #[cfg(all(feature = "ring", feature = "alloc"))]
+    ring::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
+    #[cfg(all(feature = "ring", feature = "alloc"))]
+    ring::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
+    #[cfg(all(feature = "ring", feature = "alloc"))]
     ring::RSA_PKCS1_3072_8192_SHA384,
     #[cfg(all(feature = "ring", feature = "alloc"))]
     ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
@@ -166,6 +176,12 @@ pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorit
     #[cfg(feature = "aws-lc-rs")]
     aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
     #[cfg(feature = "aws-lc-rs")]
+    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
+    #[cfg(feature = "aws-lc-rs")]
+    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
+    #[cfg(feature = "aws-lc-rs")]
+    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
+    #[cfg(feature = "aws-lc-rs")]
     aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
     #[cfg(feature = "aws-lc-rs")]
     aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
diff --git a/src/ring_algs.rs b/src/ring_algs.rs
@@ -96,6 +96,69 @@ pub static RSA_PKCS1_2048_8192_SHA512: &dyn SignatureVerificationAlgorithm = &Ri
     verification_alg: &signature::RSA_PKCS1_2048_8192_SHA512,
 };
 
+/// RSA PKCS#1 1.5 signatures using SHA-256 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA256`] covers
+/// the present case.
+#[cfg(feature = "alloc")]
+pub static RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &RingAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha256-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA256,
+    };
+
+/// RSA PKCS#1 1.5 signatures using SHA-384 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA384`] covers
+/// the present case.
+#[cfg(feature = "alloc")]
+pub static RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &RingAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha384-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA384,
+    };
+
+/// RSA PKCS#1 1.5 signatures using SHA-512 for keys of 2048-8192 bits,
+/// with illegally absent AlgorithmIdentifier parameters.
+///
+/// RFC4055 says on sha256WithRSAEncryption and company:
+///
+/// >   When any of these four object identifiers appears within an
+/// >   AlgorithmIdentifier, the parameters MUST be NULL.  Implementations
+/// >   MUST accept the parameters being absent as well as present.
+///
+/// This algorithm covers the absent case, [`RSA_PKCS1_2048_8192_SHA512`] covers
+/// the present case.
+#[cfg(feature = "alloc")]
+pub static RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS: &dyn SignatureVerificationAlgorithm =
+    &RingAlgorithm {
+        public_key_alg_id: alg_id::RSA_ENCRYPTION,
+        signature_alg_id: alg_id::AlgorithmIdentifier::from_slice(include_bytes!(
+            "data/alg-rsa-pkcs1-sha512-absent-params.der"
+        )),
+        verification_alg: &signature::RSA_PKCS1_2048_8192_SHA512,
+    };
+
 /// RSA PKCS#1 1.5 signatures using SHA-384 for keys of 3072-8192 bits.
 #[cfg(feature = "alloc")]
 pub static RSA_PKCS1_3072_8192_SHA384: &dyn SignatureVerificationAlgorithm = &RingAlgorithm {
diff --git a/tests/integration.rs b/tests/integration.rs
@@ -48,6 +48,33 @@ fn netflix() {
     );
 }
 
+/// See also https://github.com/rustls/rustls/issues/2448
+#[test]
+fn sanofi_rsa_signature_with_absent_algorithm_params() {
+    let ee: &[u8] = include_bytes!("sanofi/ee.der");
+    let inter = CertificateDer::from(&include_bytes!("sanofi/inter.der")[..]);
+    let ca = CertificateDer::from(&include_bytes!("sanofi/ca.der")[..]);
+
+    let anchors = [anchor_from_trusted_cert(&ca).unwrap()];
+
+    let time = UnixTime::since_unix_epoch(Duration::from_secs(1_746_549_566)); // 2025-05-06T17:39:26Z
+
+    let ee = CertificateDer::from(ee);
+    let cert = webpki::EndEntityCert::try_from(&ee).unwrap();
+    assert!(
+        cert.verify_for_usage(
+            webpki::ALL_VERIFICATION_ALGS,
+            &anchors,
+            &[inter],
+            time,
+            KeyUsage::server_auth(),
+            None,
+            None,
+        )
+        .is_ok()
+    );
+}
+
 /* This is notable because it is a popular use of IP address subjectAltNames. */
 #[cfg(feature = "alloc")]
 #[test]
diff --git a/tests/sanofi/ca.der b/tests/sanofi/ca.der
diff --git a/tests/sanofi/ee.der b/tests/sanofi/ee.der
diff --git a/tests/sanofi/inter.der b/tests/sanofi/inter.der
