Skip to content

RSA-PSS verification: salt length hardcoded, should use RSA_PSS_SALT_LEN_DISCOVER #218

Description

@MarkAtwood

Summary

WolfCryptSignature.engineVerify() for RSASSA-PSS calls wc_RsaPSS_VerifyCheck with a fixed salt length derived from PSSParameterSpec.getSaltLength(). This fails when:

  • The verifier was initialized without explicit PSS parameters (salt length unknown)
  • The signer used a salt length that differs from the verifier's stored params

wolfSSL provides RSA_PSS_SALT_LEN_DISCOVER (-2) via wc_RsaPSS_Verify_ex + wc_RsaPSS_CheckPadding_ex to auto-detect the actual salt length from the signature structure. Invalid signatures are still correctly rejected.

JNI layer change needed

jni_rsa.c Java_com_wolfssl_wolfcrypt_Rsa_wc_1RsaPSS_1VerifyCheck currently calls wc_RsaPSS_VerifyCheck which does not accept RSA_PSS_SALT_LEN_DISCOVER. It needs to be split into wc_RsaPSS_Verify_ex + wc_RsaPSS_CheckPadding_ex so the salt-length discover mode can be passed through.

Java layer change

WolfCryptSignature.engineVerify() should pass Rsa.RSA_PSS_SALT_LEN_DISCOVER instead of the explicit salt length.

Discovered by

Wycheproof RsaPssTest.testSignVerifyWithParameters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions