In our new release of wolfSSL 4.3.0 we have added updates to RSA-PSS salt lengths. The macro WOLFSSL_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex() attempts to discover salt length and can use larger salt lengths.

RSA-PSS is a probabilistic signature scheme (PSS) with appendix. A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature). RSA-PSS is an adaptation of their work and is standardized as part of PKCS#1 v2.1. In general, RSA-PSS should be used as a replacement for RSA-PKCS#1 v1.5.

RSA-PSS parameters

hash algorithm/function. The default is SHA-1. mask generation function (MGF). Currently always MGF1. salt length. The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes. A salt length of zero is permitted and will result in a deterministic signature value. The actual salt length used can be determined from the signature value. trailer field, used in the encoding operation. The default trailer field is the byte 0xbc. There are no options to change this value.

The default parameters for RSA-PSS are: hashAlgorithm sha1, maskGenAlgorithm mgf1SHA1 (the function MGF1 with SHA-1) saltLength 20, trailerField trailerFieldBC (the byte 0xbc) It is recommended that the MGF hash function be the same as the scheme hash algorithm/function, and that the salt length be hLen, the length of the output of the hash function.

For more information on RSA-PSS visit https://www.cryptosys.net/pki/manpki/pki_rsaschemes.html

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We love you.

Team wolfSSL