Skip to content

PSS: Improve interoperability with optional auto salt length detection during verification #546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

PSS: Improve interoperability with optional auto salt length detection during verification #546

wants to merge 3 commits into from

Conversation

rrauch
Copy link

@rrauch rrauch commented Jul 30, 2025

This PR adds an optional method to automatically detect the salt length during RSA-PSS signature verification.

Should Fix: #361 and similar situations.

Problem

The crate currently requires a fixed salt length for PSS verification. This prevents verification of signatures where the salt length is not known beforehand, a situation not uncommon in interoperability contexts.

This capability was previously available but was removed in PR #294.

Solution

This change re-introduces salt length auto-detection as an explicit, opt-in feature. A new constructor, VerifyingKey::new_with_auto_salt_len, creates a verifier that performs this detection during verification.

  • The change is opt-in and does not affect default behavior.
  • It improves interoperability by handling signatures with variable / unknown salt lengths.
  • The salt detection logic is implemented in constant(-ish) time to resist timing attacks.

Commit Structure

This PR consists of three commits:

  1. test: Adds a failing unit test to demonstrate the issue.
  2. feat: Implements new_with_auto_salt_len and re-introduces the previous detection logic.
  3. fix: Updates the detection logic to be less prone to timing attacks.

Because salt length auto-detection is OpenSSL's default, it's likely that many systems were built without a mechanism to enforce or communicate a fixed salt length. Without this PR, it was impossible to reliably use this crate in my current project, and I suspect others face the same blocker. I've lost quite a bit of time dealing with seemingly random signature verification failures until I realized the crux of the problem.

rrauch added 3 commits July 30, 2025 12:04
@rrauch
test: verify PSS sigs with non-default salt lengths
6604462
@rrauch
rsa-pss: Add optional salt length detection for verification
b425441 
Makes salt_len parameter optional in EMSA-PSS verification, defaulting
to auto-detection by scanning for the 0x01 separator byte. Signing
still requires explicit salt length specification.
@rrauch
Fix timing vulnerability in RSA-PSS salt length detection
941f684 
Replace variable-time scanning with constant-time implementation.
Eliminates early termination and data-dependent branching that could
leak padding structure via timing side-channels.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dignifiedquire dignifiedquire Awaiting requested review from dignifiedquire

@tarcieri tarcieri Awaiting requested review from tarcieri

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update from 0.8 to 0.9 broke verification after reading PEM and using Sha256 PSS
1 participant
@rrauch