In our new release of wolfSSL 4.3.0 we have added updates to RSA-PSS salt lengths. The macro WOLFSSL_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex() attempts to discover salt length and can use larger salt lengths.
RSA-PSS is a probabilistic signature scheme (PSS) with appendix. A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature). RSA-PSS is an adaptation of their work and is standardized as part of PKCS#1 v2.1. In general, RSA-PSS should be used as a replacement for RSA-PKCS#1 v1.5.
- hash algorithm/function. The default is SHA-1.
- mask generation function (MGF). Currently always MGF1.
- salt length. The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes. A salt length of zero is permitted and will result in a deterministic signature value. The actual salt length used can be determined from the signature value.
- trailer field, used in the encoding operation. The default trailer field is the byte 0xbc. There are no options to change this value.
The default parameters for RSA-PSS are:
hashAlgorithm sha1, maskGenAlgorithm mgf1SHA1 (the function MGF1 with SHA-1) saltLength 20, trailerField trailerFieldBC (the byte 0xbc)
It is recommended that the MGF hash function be the same as the scheme hash algorithm/function, and that the salt length be hLen, the length of the output of the hash function.
For more information on RSA-PSS visit https://www.cryptosys.net/pki/manpki/pki_rsaschemes.html
We love you.