Maintain backwards-compatibility by default in RSA PSS signatures #430
Comments
3 tasks
lukpueh
added a commit
to lukpueh/securesystemslib
that referenced
this issue
Oct 13, 2022
In secure-systems-lab#422 we changed `create_rsa_signature` to use the maximum salt length available, instead of the digest length, when creating rsassa-pss signatures, and adapted `verify_rsa_signature` to infer the salt length automatically. This made it impossible for users of the old verify function, which could only handle digest sized salts, to verify signatures created by users of the new signing function (see secure-systems-lab#430). Since the advantage of max salt lengths is mostly academic, this patch reverts `create_rsa_signature` to use digest sized salts. Note that we now use the `padding.PSS.DIGEST_LENGTH` constant instead of passing the actual digest length, as we did before. Using the constant has the same result, but is recommended by the library documentation. Also note that the patch does not revert the `verify_rsa_signature` part of secure-systems-lab#422. This allows verifying signatures created with the securesystemslib release that used max salt lengths, or created outside of securesystemslib. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
added a commit
to lukpueh/securesystemslib
that referenced
this issue
Oct 13, 2022
In secure-systems-lab#422 we changed `create_rsa_signature` to use the maximum salt length available, instead of the digest length, when creating rsassa-pss signatures, and adapted `verify_rsa_signature` to infer the salt length automatically. This made it impossible for users of the old verify function, which could only handle digest sized salts, to verify signatures created by users of the new signing function (see secure-systems-lab#430). Since the advantage of max salt lengths is mostly academic, this patch reverts `create_rsa_signature` to use digest sized salts (as agreed in secure-systems-lab#431). Note that we now use the `padding.PSS.DIGEST_LENGTH` constant instead of passing the actual digest length, as we did before. Using the constant has the same result, but is recommended by the library documentation. Also note that the patch does not revert the `verify_rsa_signature` part of secure-systems-lab#422. This allows verifying signatures created with the securesystemslib release that used max salt lengths, or created outside of securesystemslib. Signed-off-by: Lukas Puehringer <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of issue or feature request:
In #421, we started creating RSA PSS signatures only with the maximum possible salt length. Unfortunately, this breaks backwards-compatibility when verifying these new signatures with securesystemslib<0.24.0.
Current behavior:
Creating RSA PSS signatures ==0.24.0 breaks verification in <0.24.0.
Expected behavior:
Creating RSA PSS signatures in >0.24.0 shouldn't break verification by default in <0.24.0 (and above).
The text was updated successfully, but these errors were encountered: