Golang-style salt lengths to verify RSA PSS sigs

Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
secure-systems-lab · Jul 21, 2020 · d148b64 · d148b64
1 parent 6f88f63
commit d148b64
Showing 1 changed file with 25 additions and 8 deletions.
diff --git a/securesystemslib/rsa_keys.py b/securesystemslib/rsa_keys.py
@@ -382,7 +382,20 @@ def create_rsa_signature(private_key, data, scheme='rsassa-pss-sha256'):
 
 
 
-def verify_rsa_signature(signature, signature_scheme, public_key, data):
+# https://github.com/golang/go/blob/11f92e9dae96939c2d784ae963fa7763c300660b/src/crypto/rsa/pss.go#L225-L232
+class SaltLength:
+	# PSSSaltLengthAuto causes the salt in a PSS signature to be as large
+	# as possible when signing, and to be auto-detected when verifying.
+	PSSSaltLengthAuto = 0
+	# PSSSaltLengthEqualsHash causes the salt length to equal the length
+	# of the hash used in the signature.
+	PSSSaltLengthEqualsHash = -1
+
+
+
+
+
+def verify_rsa_signature(signature, signature_scheme, public_key, data, salt_length=SaltLength.PSSSaltLengthEqualsHash):
   """
   <Purpose>
     Determine whether the corresponding private key of 'public_key' produced
@@ -455,11 +468,6 @@ def verify_rsa_signature(signature, signature_scheme, public_key, data):
   # What about 'data'?
   securesystemslib.formats.DATA_SCHEMA.check_match(data)
 
-  # Verify whether the private key of 'public_key' produced 'signature'.
-  # Before returning the 'valid_signature' Boolean result, ensure 'RSASSA-PSS'
-  # was used as the signature scheme.
-  valid_signature = False
-
   # Verify the RSASSA-PSS signature with pyca/cryptography.
   try:
     public_key_object = serialization.load_pem_public_key(
@@ -473,9 +481,18 @@ def verify_rsa_signature(signature, signature_scheme, public_key, data):
     # hashing algorithm.
     try:
       if signature_scheme.startswith('rsassa-pss'):
+        # https://github.com/golang/go/blob/11f92e9dae96939c2d784ae963fa7763c300660b/src/crypto/rsa/pss.go#L269-L275
+        if salt_length == SaltLength.PSSSaltLengthAuto:
+          salt_length = padding.PSS.MAX_LENGTH
+        elif salt_length == SaltLength.PSSSaltLengthEqualsHash:
+          salt_length = digest_obj.algorithm.digest_size
+        else:
+          raise securesystemslib.exceptions.UnsupportedAlgorithmError('Unsupported'
+            ' salt length is specified: ' + repr(salt_length))
+
         public_key_object.verify(signature, data,
             padding.PSS(mgf=padding.MGF1(digest_obj.algorithm),
-            salt_length=digest_obj.algorithm.digest_size),
+            salt_length=salt_length),
             digest_obj.algorithm)
 
       elif signature_scheme.startswith('rsa-pkcs1v15'):
@@ -486,7 +503,7 @@ def verify_rsa_signature(signature, signature_scheme, public_key, data):
       # This is a defensive check check..
       else:  # pragma: no cover
         raise securesystemslib.exceptions.UnsupportedAlgorithmError('Unsupported'
-            ' signature scheme is specified: ' + repr(scheme))
+            ' signature scheme is specified: ' + repr(signature_scheme))
 
       return True