Merge pull request #436 from lukpueh/fix-pss-salt-len

Revert to digest sized salts in rsassa-pss signing
secure-systems-lab · Oct 14, 2022 · 5d0f478 · 5d0f478
2 parents 50ea697 + de3d1e5
commit 5d0f478
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/securesystemslib/rsa_keys.py b/securesystemslib/rsa_keys.py
@@ -326,11 +326,10 @@ def create_rsa_signature(private_key, data, scheme='rsassa-pss-sha256'):
     if scheme.startswith('rsassa-pss'):
       # Generate an RSSA-PSS signature.  Raise
       # 'securesystemslib.exceptions.CryptoError' for any of the expected
-      # exceptions raised by pyca/cryptography. 'salt_length' is set to
-      # the maximum length available.
+      # exceptions raised by pyca/cryptography.
       signature = private_key_object.sign(
           data, padding.PSS(mgf=padding.MGF1(digest_obj.algorithm),
-          salt_length=padding.PSS.MAX_LENGTH), digest_obj.algorithm)
+          salt_length=padding.PSS.DIGEST_LENGTH), digest_obj.algorithm)
 
     elif scheme.startswith('rsa-pkcs1v15'):
       # Generate an RSA-PKCS1v15 signature.  Raise

diff --git a/tests/test_rsa_keys.py b/tests/test_rsa_keys.py
@@ -157,26 +157,30 @@ def test_verify_rsa_signature(self):
           scheme, public_rsa, data))
 
 
-  def test_verify_rsa_pss_sha256(self):
+  def test_verify_rsa_pss_different_salt_lengths(self):
     rsa_scheme = 'rsassa-pss-sha256'
-    data = 'The ancients say the longer the salt, the more provable the security'.encode('utf-8')
+    data = 'The ancients say, salt length does not matter that much'.encode('utf-8')
 
     private_key = load_pem_private_key(private_rsa.encode('utf-8'),
         password=None, backend=default_backend())
     digest = securesystemslib.hash.digest_from_rsa_scheme(rsa_scheme, 'pyca_crypto')
 
-    # Old-style signature: use the hash length as the salt length.
-    old_signature = private_key.sign(data,
-      padding.PSS(mgf=padding.MGF1(digest.algorithm), salt_length=padding.PSS.DIGEST_LENGTH),
-      digest.algorithm)
+    # Make sure digest size and max salt length are not accidentally the same
+    self.assertNotEqual(digest.algorithm.digest_size,
+        padding.calculate_max_pss_salt_length(private_key, digest.algorithm))
 
-    # New-style signature: use the automatic salt length.
-    new_signature, _ = securesystemslib.rsa_keys.create_rsa_signature(private_rsa, data)
+    # Sign with max salt length (briefly available in sslib v0.24.0):
+    max_salt_sig = private_key.sign(data,
+        padding.PSS(mgf=padding.MGF1(digest.algorithm), salt_length=padding.PSS.MAX_LENGTH),
+        digest.algorithm)
 
-    # Verify both old-style and new-style signatures.
-    for signature in (old_signature, new_signature):
+    # Sign with salt length == digest length
+    fix_salt_sig, _ = securesystemslib.rsa_keys.create_rsa_signature(private_rsa, data)
+
+    # Verification infers salt length automatically and so works for both
+    for signature in (max_salt_sig, fix_salt_sig):
       verified = securesystemslib.rsa_keys.verify_rsa_signature(signature, rsa_scheme,
-                                                                public_rsa, data)
+          public_rsa, data)
       self.assertTrue(verified)