Jason Fehr created IMPALA-14038:
-----------------------------------
Summary: RSASSA-PSS Signature Algorithm Not Supported
Key: IMPALA-14038
URL: https://issues.apache.org/jira/browse/IMPALA-14038
Project: IMPALA
Issue Type: Bug
Affects Versions: Impala 5.0.0
Reporter: Jason Fehr
If a certificate used in kRPC communication uses the signature algorithm
RSASSA-PSS, then communication will be blocked with the following error
reported:
{noformat}
negotiation.cc:311] Negotiation complete: Not implemented: Server connection
negotiation failed: server connection from ****: server certificate has no
signature digest (hash) algorithm
{noformat}
This error is generated in
[kudu/security/cert.cc](https://github.com/apache/impala/blob/cb496104d98e8cbd87acf25277f2648cffaac42a/be/src/kudu/security/cert.cc#L194).
The reason the error is thrown is the RSASSA-PSS algorithm does not
explicitly specify a hash algorithm. Instead, the hash algorithm is defined in
subfields within the signature block of the certificate.
For example, most signature algorithms look like this where the hash algorithm
(SHA384) is included:
{noformat}
Signature Algorithm: ecdsa-with-SHA384
{noformat}
But, a RSASSA-PSS signature algorithm looks like this (note the hash algorithm
is now in a subfield):
{noformat}
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 0x20
Trailer Field: 0xBC (default)
{noformat}
Since the hash algorithm is defined in a subfield, digest_nid is set to 0. The
solution is to take a different code path when the
[signature_nid](https://github.com/apache/impala/blob/cb496104d98e8cbd87acf25277f2648cffaac42a/be/src/kudu/security/cert.cc#L184C23-L184C36)
equals NID_rsassaPss.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
