Skip to content

104080 custom rsapss salt length #119255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 42 commits into
base: main
Choose a base branch
from
Open

104080 custom rsapss salt length #119255

wants to merge 42 commits into from
+809 −236

Conversation

henning-krause
Copy link

@henning-krause henning-krause commented Sep 2, 2025
edited by jeffhandley
Loading

Added support for custom PSS salt length for RSA based signature operations. Resolves #104080.

With this PR, I have extended the RsaSignaturePadding class with a custom salt length as discussed in #104080. I've also updated the CmsSigner and the CertificateRequest class to support this.

CoseSigner did not need functionality updates, because the spec does not support custom salt length. I have added checks to prevent this to be configured on the CoseSigner.

Tests where either added or updated to test the new functionality.

All RSA implementations which support this (MAC doesn't seem to support this) were updated.

henning-krause and others added 23 commits May 16, 2025 11:32
@henning-krause
Added support for a custom salt length when using PSS signature valid…
e0b1dae 
…ation/generation with RSA keys. dotnet#104080
@henning-krause
Review
05ed28b
@henning-krause
Merge branch 'dotnet:main' into 104080-custom-rsapss-salt-length
21135d5
@henning-krause
Review all usages for RSASignaturePadding to check for missing PSS sa…
d705126 
…lt customizations
@henning-krause
Added error handling for apple devices (custom PSS salt length not su…
3c6288c 
…pported there)

Updated reference code
@henning-krause
Added sign and verify tests for custom salt lengths
4d3bd37
@henning-krause
Added test for max salt length verification
d19d017
@henning-krause
Added a test for the RSAPssX509SignatureGenerator
20be62b
@henning-krause
Added test for CertificateRequest.LoadSigningRequest
c0d0ce0
@henning-krause
More tests for the CertificateRequest
81432d5
@henning-krause
Added custom salt support for SignedCms
a016382
@henning-krause
Add error handling for PSS salt length in CoseSigner
9cde2fa 
Cose does not support custom salt lengths with PSS.
@henning-krause
Updated RSA
a6dd48a
@henning-krause
Merged from main
71325e3
@henning-krause
Updated CoseSigner
e2407be
@henning-krause
Code fixes
7b65140
@henning-krause
Code fixes
623199c
@henning-krause
Code fixes
b14906e
@henning-krause
Code fixes
9dcb4ea
@henning-krause
Code fixes
fee0f09
@henning-krause
Code fixes
a386bac
@henning-krause
Updated a few test cases
430a846
@henning-krause
CRL Builder tests extended
e0eb704
@Copilot Copilot AI review requested due to automatic review settings September 2, 2025 05:45
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Sep 2, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Sep 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds support for custom PSS salt length for RSA-based signature operations. The implementation extends the RSASignaturePadding class with a new CreatePss(int saltLength) method and updates related cryptographic components to utilize custom salt lengths.

Key changes include:

  • Extended RSASignaturePadding to support custom PSS salt lengths with new constants and factory method
  • Updated all RSA implementation backends (OpenSSL, CNG, BCrypt, etc.) to handle custom salt lengths
  • Added comprehensive test coverage for various salt length scenarios
  • Updated high-level APIs like CmsSigner and CertificateRequest to support the new functionality

Reviewed Changes

Copilot reviewed 40 out of 41 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h Added pssSaltLength parameter to RSA sign/verify functions
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c Implemented custom salt length support in OpenSSL backend
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSASignaturePadding.cs Added CreatePss method, PssSaltLength property, and related constants
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs Updated to use custom salt lengths from padding configuration
src/libraries/Common/src/System/Security/Cryptography/RsaPaddingProcessor.cs Modified PSS encoding/verification to accept custom salt lengths
src/libraries/Common/src/System/Security/Cryptography/RsaPaddingProcessor.DigestInfo.cs Added salt length calculation logic and moved digest info constants
src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/RSAPssX509SignatureGeneratorTests.cs Added comprehensive tests for custom PSS salt lengths
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs Updated validation to accept any PSS mode padding
src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSigner.cs Added validation to prevent custom salt lengths in COSE

henning-krause and others added 2 commits September 2, 2025 07:51
@henning-krause @Copilot
Update src/libraries/System.Security.Cryptography/tests/X509Certifica…
dd64636 
…tes/CertificateCreation/CertificateRequestChainTests.cs

Co-authored-by: Copilot <[email protected]>
@henning-krause @Copilot
Update src/libraries/System.Security.Cryptography/ref/System.Security…
d97581c 
….Cryptography.cs

Co-authored-by: Copilot <[email protected]>
vcsjones
vcsjones reviewed Sep 3, 2025
View reviewed changes
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.manual.cs
@@ -41,6 +41,9 @@ internal RSASignaturePadding GetSignaturePadding(
HashAlgorithm.Algorithm));
}

#if NET10_0_OR_GREATER
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is tricky. Right now, .NET 10 is "done". Technically this work will go in for .NET 11. However, the runtime and SDK are not "bumped" to .NET 11 yet so #if NET11_0_OR_GREATER doesn't exist. We might need to wait for this work until #118583 is complete.

bartonjs
bartonjs reviewed Sep 3, 2025
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made it about halfway, but have to disappear for a bit, so posting what I've already seen.

This was referenced Sep 5, 2025
Open
Open
bartonjs
bartonjs reviewed Sep 5, 2025
View reviewed changes
@jeffhandley jeffhandley added this to the 11.0.0 milestone Sep 6, 2025
This was referenced Sep 9, 2025
Open
Open
Open
Open
Open
bartonjs
bartonjs reviewed Sep 11, 2025
View reviewed changes
...braries/System.Security.Cryptography/src/System/Security/Cryptography/RSASignaturePadding.cs
public static RSASignaturePadding CreatePss(int saltLength)
{
switch (saltLength)
{
case PssSaltLengthIsHashLength or PssSaltLengthMax:
case > 0:
case >= 0:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that a test that had been expecting zero to fail has been removed. But I don't see any tests showing

  • That 0 is allowed here
  • That 0 works when directly using the type
  • That 0 works when used with CertificateRequest
  • That 0 works when used with SignedCms

Please add those tests (or show me where I missed them)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Added test to RSASignaturePadding_Constructor_ValidParameters
  • PssRoundTripParameters already includes 0.
  • CreateSignature_RsaPss already includes a test for 0 (via CreateSignature_RsaPssTests)
  • Added a test for 0 in SelfSign_RSA_PssPadding_CustomSaltLength

src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.cs Outdated
Comment on lines 400 to 403
// Apple does not support custom salt length for the PSS padding
if (padding.Mode == RSASignaturePaddingMode.Pss &&
(padding.PssSaltLength != RSASignaturePadding.PssSaltLengthIsHashLength &&
padding.PssSaltLength != RsaPaddingProcessor.HashLength(hashAlgorithm)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the tests for Apple say that customizing the salt size isn't supported, but this says that a specified salt size is allowed if it matches the PssSaltLengthIsHashLength calculated size.

That suggests that we're missing negative tests (e.g. we want to see the exception when calling Apple), and that we don't have a test for when it matches.

If I've just missed the tests, feel free to point them out to me.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Added a test PssUnsupportedPssSaltLengthOnApple in SignVerify
  • I've updated the PssRoundTripParameters to return test values with the salt length matching the hash length. This should cover the positive test.

@build-analysis build-analysis bot mentioned this pull request Sep 12, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcsjones vcsjones vcsjones left review comments

@bartonjs bartonjs bartonjs left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@bartonjs bartonjs

Labels
area-System.Security community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
11.0.0
Development

Successfully merging this pull request may close these issues.

[API Proposal]: RSA PSS salt length
4 participants
@henning-krause @vcsjones @bartonjs @jeffhandley