- Notifications
You must be signed in to change notification settings - Fork5.2k
[release/9.0-staging] fix: in rsa signatures, configure digest before padding mode#115695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
jozkee merged 4 commits intorelease/9.0-stagingfrombackport/pr-114261-to-release/9.0-stagingJun 9, 2025
Merged
[release/9.0-staging] fix: in rsa signatures, configure digest before padding mode#115695
jozkee merged 4 commits intorelease/9.0-stagingfrombackport/pr-114261-to-release/9.0-stagingJun 9, 2025
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Contributor
Tagging subscribers to this area: @dotnet/area-system-security,@bartonjs,@vcsjones |
This was referencedMay 18, 2025
bartonjs approved these changesMay 20, 2025
397ee5f intorelease/9.0-staging 98 checks passed
Uh oh!
There was an error while loading.Please reload this page.
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
Backport of#114261 to release/9.0-staging
/cc@vcsjones@rcatolino
Customer Impact
This was originally reported by a customer in#114260, and a request to back ported it was made in#115693.
Customers using
RSA.SignHashwith RSASSA-PSS on Linux which is locked-down to FIPS are unable to use it because the configuration was done in such a way that confused the FIPS-only validation logic in OpenSSL. Customers have no work-arounds for this, other than do disable the FIPS enforcement on Linux.Regression
No. It's been like this since we moved off the managed implementation of PSS padding for Linux.
Testing
This was manually validated on an Ubuntu Pro installation that was FIPS enforced.
Risk
Low. The code that configures the signing context has only changed in the order in which it does the configuration. The area has strong unit test covered to ensure existing scenarios did not regress.
IMPORTANT: If this backport is for a servicing release, please verify that:
release/X.0-staging, notrelease/X.0.Package authoring no longer needed in .NET 9
IMPORTANT: Starting with .NET 9, you no longer need to edit a NuGet package's csproj to enable building and bump the version.
Keep in mind that we still need package authoring in .NET 8 and older versions.