Updates to RSA-PSS salt lengths

In our new release of wolfSSL 4.3.0 we have added updates to RSA-PSS salt lengths. The macro WOLFSSL_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex() attempts to discover salt length and can use larger salt lengths.

RSA-PSS is a probabilistic signature scheme (PSS) with appendix. A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature). RSA-PSS is an adaptation of their work and is standardized as part of PKCS#1 v2.1. In general, RSA-PSS should be used as a replacement for RSA-PKCS#1 v1.5.

RSA-PSS parameters

  • hash algorithm/function. The default is SHA-1.
  • mask generation function (MGF). Currently always MGF1.
  • salt length. The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes. A salt length of zero is permitted and will result in a deterministic signature value. The actual salt length used can be determined from the signature value.
  • trailer field, used in the encoding operation. The default trailer field is the byte 0xbc. There are no options to change this value.

The default parameters for RSA-PSS are:

hashAlgorithm      sha1,
maskGenAlgorithm   mgf1SHA1 (the function MGF1 with SHA-1)
saltLength         20,
trailerField       trailerFieldBC (the byte 0xbc)

It is recommended that the MGF hash function be the same as the scheme hash algorithm/function, and that the salt length be hLen, the length of the output of the hash function.

For more information on RSA-PSS visit https://www.cryptosys.net/pki/manpki/pki_rsaschemes.html

For more information on wolfSSL updates, TLS 1.3, OCSP, FIPS 140-2, or for any additional questions, contact facts@wolfssl.com or support@wolfssl.com!

We love you.

Team wolfSSL