Fix discussion of RSA-PSS salt length
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
parent
2467aed961
commit
539b9a52f9
1 changed files with 8 additions and 4 deletions
|
|
@ -118,11 +118,15 @@ algorithms can differ from each other.
|
|||
- PSA:
|
||||
- algorithm specification:
|
||||
- hash alg used for message hashing, encoding and MGF1
|
||||
- salt length can be either "standard" (== hashlen) or "any"
|
||||
- salt length can be either "standard" (<= hashlen, see note) or "any"
|
||||
- signature generation:
|
||||
- salt length: always using the maximum legal value and random salt
|
||||
- salt length: always <= hashlen (see note) and random salt
|
||||
- verification:
|
||||
- salt length: either == hashlen, or any depending on algorithm
|
||||
- salt length: either <= hashlen (see note), or any depending on algorithm
|
||||
|
||||
Note: above, "<= hashlen" means that hashlen is used if possible, but if it
|
||||
doesn't fit because the key is too short, then the maximum lenght that fits is
|
||||
used.
|
||||
|
||||
The RSA/PK API is in principle more flexible than the PSA Crypto API. The
|
||||
following sub-sections study whether and how this matters in practice.
|
||||
|
|
@ -158,7 +162,7 @@ match a limitation of the PSA API.
|
|||
It is unclear what parameters people use in practice. It looks like by default
|
||||
OpenSSL picks saltlen = keylen - hashlen - 2 (tested with openssl 1.1.1f).
|
||||
The `certool` command provided by GnuTLS seems to be picking saltlen = hashlen
|
||||
by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends saltlen >=
|
||||
by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends 0 <= saltlen <=
|
||||
hashlen.
|
||||
|
||||
### Use in TLS
|
||||
|
|
|
|||
Loading…
Reference in a new issue