Summary
KeyPairGenerator for RSASSA-PSS ignores the AlgorithmParameterSpec embedded in RSAKeyGenParameterSpec.getKeyParams() (Java 11+). The generated public key's getParams() returns null instead of the PSS parameters the key was generated with.
Expected behavior (per Java spec)
java.security.interfaces.RSAKey.getParams() (Java 11+) should return the PSSParameterSpec for RSASSA-PSS keys. This is how a verifier obtains the correct hash algorithm and salt length from the key, avoiding the need for out-of-band parameter negotiation.
Impact
The following idiomatic verification pattern fails with wolfJCE:
verifier.initVerify(pub);
verifier.setParameter(pub.getParams()); // returns null → hash never initialized
verifier.update(msg);
verifier.verify(sig); // throws "Parameters must be set before updating with RSASSA-PSS"
Additionally, Signature.initVerify(pub) cannot auto-initialize PSS parameters from the key, so callers must always call setParameter explicitly with externally-obtained params.
Fix
- In
WolfCryptKeyPairGenerator.initialize(), store RSAKeyGenParameterSpec.getKeyParams() when generating RSASSA-PSS keys.
- Wrap the generated public key so
getParams() returns the stored PSSParameterSpec.
- In
WolfCryptSignature.engineInitVerify(), if the padding is WC_RSA_PSS and the public key returns a PSSParameterSpec from getParams(), use it to initialize the digest automatically.
Discovered by
Wycheproof RsaPssTest.testSignVerifyWithParameters, testEncodeDecodePublic, testEncodeDecodePublicWithParameters.
Summary
KeyPairGeneratorforRSASSA-PSSignores theAlgorithmParameterSpecembedded inRSAKeyGenParameterSpec.getKeyParams()(Java 11+). The generated public key'sgetParams()returnsnullinstead of the PSS parameters the key was generated with.Expected behavior (per Java spec)
java.security.interfaces.RSAKey.getParams()(Java 11+) should return thePSSParameterSpecfor RSASSA-PSS keys. This is how a verifier obtains the correct hash algorithm and salt length from the key, avoiding the need for out-of-band parameter negotiation.Impact
The following idiomatic verification pattern fails with wolfJCE:
Additionally,
Signature.initVerify(pub)cannot auto-initialize PSS parameters from the key, so callers must always callsetParameterexplicitly with externally-obtained params.Fix
WolfCryptKeyPairGenerator.initialize(), storeRSAKeyGenParameterSpec.getKeyParams()when generating RSASSA-PSS keys.getParams()returns the storedPSSParameterSpec.WolfCryptSignature.engineInitVerify(), if the padding isWC_RSA_PSSand the public key returns aPSSParameterSpecfromgetParams(), use it to initialize the digest automatically.Discovered by
Wycheproof
RsaPssTest.testSignVerifyWithParameters,testEncodeDecodePublic,testEncodeDecodePublicWithParameters.