Jump to content
IVR

Issue with Setting Salt Length in RSASSA-PSS Signature Using OpenSSL

By IVR, in ICS - Internet Component Suite

Recommended Posts

IVR    0

IVR
Posted

Hello everyone,

I'm working on a Delphi project that requires signing a request signature with RSASSA-PSS algorithm. In my implementation, I initialize the signing context with EVP_DigestSignInit using SHA-256. However, when I attempt to set the salt length with EVP_PKEY_CTX_set_rsa_pss_saltlen(PSSCtx, 32), it consistently returns an error.

I'm using the OverByteIcsLIBEAY.pas functions.

 

Params I need to use for the signature:

  • Hash algorithm: SHA-256
  • Mask generation function: MGF1
  • Mask generation algorithm: SHA-256
  • Salt length: 32 bytes (= 256 bits, same as the hash length)
  • Trailer field: 1

Has anyone here encountered similar issues with RSASSA-PSS in OpenSSL, particularly with setting the salt length? Any advice on handling this setup in Delphi would be greatly appreciated!

Thanks in advance!

  

function TIsabelData.SignData(const AData: TBytes; APrivateKey: PEVP_PKEY): string;
var
  SignCtx: PEVP_MD_CTX;
  PSSCtx: PEVP_PKEY_CTX;
  Sig: TBytes;
  SigLen: Cardinal;
  ErrCode: Cardinal;
begin
  if EVP_PKEY_base_id(APrivateKey) <> EVP_PKEY_RSA then
    raise Exception.Create('The provided key is not an RSA key');

  SignCtx := EVP_MD_CTX_create;
  PSSCtx := nil;
  try
    if EVP_DigestSignInit(SignCtx, @PSSCtx, EVP_sha256, nil, APrivateKey) <> 1 then
      raise Exception.Create('Error initializing digest sign');

    if EVP_PKEY_CTX_set_rsa_padding(PSSCtx, RSA_PKCS1_PSS_PADDING) <= 0 then
      raise Exception.Create('Error setting RSA PSS padding');

    if EVP_PKEY_CTX_set_rsa_pss_saltlen(PSSCtx, 32) <= 0 then
    begin
      ErrCode := ERR_get_error;
      raise Exception.Create('Error setting RSA PSS salt length: ' + string(ERR_reason_error_string(ErrCode)));
    end;

    if EVP_PKEY_CTX_set_rsa_mgf1_md(PSSCtx, EVP_sha256) <= 0 then
      raise Exception.Create('Error setting MGF1 to SHA256');

    if EVP_DigestSignUpdate(SignCtx, @AData[0], Length(AData)) <> 1 then
      raise Exception.Create('Error updating digest sign');

    SigLen := 0;
    if EVP_DigestSignFinal(SignCtx, nil, @SigLen) <> 1 then
      raise Exception.Create('Error finalizing digest sign');

    SetLength(Sig, SigLen);
    if EVP_DigestSignFinal(SignCtx, @Sig[0], @SigLen) <> 1 then
      raise Exception.Create('Error finalizing digest sign');

    Result := TNetEncoding.Base64.EncodeBytesToString(Sig);
  finally
    EVP_MD_CTX_free(SignCtx);
    EVP_PKEY_CTX_free(PSSCtx);
  end;
end;

 

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing ICS - Internet Component Suite
×