From d657ae6f8a7966da00b068f2db349d3509f4a3b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Sun, 5 Sep 2021 10:27:41 +0000 Subject: [PATCH] crypto: fix RSA-PSS default saltLength PR-URL: https://github.com/nodejs/node/pull/39999 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Filip Skokan --- src/crypto/crypto_rsa.cc | 9 +++++-- test/parallel/test-crypto-keygen.js | 37 +++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc index 30181dece8b541..d2307c33f5de87 100644 --- a/src/crypto/crypto_rsa.cc +++ b/src/crypto/crypto_rsa.cc @@ -79,10 +79,15 @@ EVPKeyCtxPointer RsaKeyGenTraits::Setup(RsaKeyPairGenConfig* params) { return EVPKeyCtxPointer(); } - if (params->params.saltlen >= 0 && + int saltlen = params->params.saltlen; + if (saltlen < 0 && params->params.md != nullptr) { + saltlen = EVP_MD_size(params->params.md); + } + + if (saltlen >= 0 && EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen( ctx.get(), - params->params.saltlen) <= 0) { + saltlen) <= 0) { return EVPKeyCtxPointer(); } } diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js index 4f598877b1b9cf..2647c16a9a906c 100644 --- a/test/parallel/test-crypto-keygen.js +++ b/test/parallel/test-crypto-keygen.js @@ -391,6 +391,43 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher); })); } +{ + // RFC 8017, A.2.3.: "For a given hashAlgorithm, the default value of + // saltLength is the octet length of the hash value." + + generateKeyPair('rsa-pss', { + modulusLength: 512, + hashAlgorithm: 'sha512' + }, common.mustSucceed((publicKey, privateKey) => { + const expectedKeyDetails = { + modulusLength: 512, + publicExponent: 65537n, + hashAlgorithm: 'sha512', + mgf1HashAlgorithm: 'sha512', + saltLength: 64 + }; + assert.deepStrictEqual(publicKey.asymmetricKeyDetails, expectedKeyDetails); + assert.deepStrictEqual(privateKey.asymmetricKeyDetails, expectedKeyDetails); + })); + + // It is still possible to explicitly set saltLength to 0. + generateKeyPair('rsa-pss', { + modulusLength: 512, + hashAlgorithm: 'sha512', + saltLength: 0 + }, common.mustSucceed((publicKey, privateKey) => { + const expectedKeyDetails = { + modulusLength: 512, + publicExponent: 65537n, + hashAlgorithm: 'sha512', + mgf1HashAlgorithm: 'sha512', + saltLength: 0 + }; + assert.deepStrictEqual(publicKey.asymmetricKeyDetails, expectedKeyDetails); + assert.deepStrictEqual(privateKey.asymmetricKeyDetails, expectedKeyDetails); + })); +} + { const privateKeyEncoding = { type: 'pkcs8',