[go] crypto/rsa: fixes the salt length calculation when PSSSaltLengthAuto option is set in rsa sign request.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 16, 2021, 1:29:34 PM3/16/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Himanshu Kishna Srivastava has uploaded this change for review.

crypto/rsa: fixes the salt length calculation when PSSSaltLengthAuto option is set in rsa sign request.

The existing implementation wrongly calculates the salt length when PSSSaltLengthAuto is set.
The maximum salt length should equals modulus_key_size/8 - hash_length - 2.
e.g. with a 4096 bit modulus key and SHA-1 hash, the maximum salt length becomes (4096/8) - 20 - 2 = 490.

Fixes #42741

Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
---
M src/crypto/rsa/pss.go
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
index b2adbed..bd984bd 100644
--- a/src/crypto/rsa/pss.go
+++ b/src/crypto/rsa/pss.go
@@ -269,7 +269,7 @@
 	saltLength := opts.saltLength()
 	switch saltLength {
 	case PSSSaltLengthAuto:
-		saltLength = priv.Size() - 2 - hash.Size()
+		saltLength = (priv.N.BitLen() / 8) - 2 - hash.Size()
 	case PSSSaltLengthEqualsHash:
 		saltLength = hash.Size()
 	}

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Mar 16, 2021, 8:11:25 PM3/16/21

to Himanshu Kishna Srivastava, goph...@pubsubhelper.golang.org, Filippo Valsorda, Adam Langley, Katie Hockman, Roland Shoemaker, Go Bot, golang-co...@googlegroups.com

Attention is currently required from: Himanshu Kishna Srivastava, Filippo Valsorda.

Patch set 1:Run-TryBot +1Trust +1

View Change

3 comments:

Commit Message:
- Patch Set #1, Line 7: crypto/rsa: fixes the salt length calculation when PSSSaltLengthAuto option is set in rsa sign request.
  crypto/rsa: fix salt length calculation with PSSSaltLengthAuto
- Patch Set #1, Line 9:

The existing implementation wrongly calculates the salt length when PSSSaltLengthAuto is set.
The maximum salt length should equals modulus_key_size/8 - hash_length - 2.
e.g. with a 4096 bit modulus key and SHA-1 hash, the maximum salt length becomes (4096/8) - 20 - 2 = 490.

When PSSSaltLength is set, the maximum salt length must equal:

    modulus_key_size/8 - hash_length - 2

and for example, with a 4096 bit modulus key, and a SHA-1 hash,
it should be:
    
     4096/8 - 20 - 2 = 490

Previously we'd encounter this error:

     crypto/rsa: key size too small for PSS signature

Patchset:

Patch Set #1:

Thank you for this change Himanshu, and congratulations on your first change as a Go contributor.
Delighted to have you, and thank you for the sharp eyes!

Could you please also add a test. Let's adapt Filippo's suggestion to make this test that can add at the bottom of crypto/rsa/pss_test.go

// Ensure that we don't encounter an error when
// signing with PSS signatures.
// See issue https://golang.org/org/issues/42741.
func TestSignWithPSSSaltLengthAuto(t *testing.T) {
    key, err := GenerateKey(rand.Reader, 2049)
    if err != nil {
        t.Fatal(err)
    }
    digest := sha256.Sum256([]byte("message"))
    signature, err := key.Sign(rand.Reader, digest[:], &PSSOptions{
        SaltLength: PSSSaltLengthAuto,
        Hash:       crypto.SHA256,
    })
    if err != nil {
        t.Fatal(err)
    }

    if len(signature) == 0 {
        t.Fatal("empty signature returned")
    }
}

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 17, 2021, 11:34:46 AM3/17/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Himanshu Kishna Srivastava, Filippo Valsorda.

Himanshu Kishna Srivastava uploaded patch set #2 to this change.

View Change

crypto/rsa: fix salt length calculation with PSSSaltLengthAuto

When PSSSaltLength is set, the maximum salt length must equal:

    modulus_key_size/8 - hash_length - 2
and for example, with a 4096 bit modulus key, and a SHA-1 hash,
it should be:

     4096/8 - 20 - 2 = 490
Previously we'd encounter this error:

     crypto/rsa: key size too small for PSS signature

Fixes #42741

Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
---
M src/crypto/rsa/pss.go

M src/crypto/rsa/pss_test.go
2 files changed, 20 insertions(+), 2 deletions(-)

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 17, 2021, 11:41:30 AM3/17/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Filippo Valsorda, Adam Langley, Katie Hockman, Roland Shoemaker, golang-co...@googlegroups.com

Attention is currently required from: Emmanuel Odeke, Filippo Valsorda.

View Change

3 comments:

Commit Message:

- Patch Set #1, Line 7: crypto/rsa: fixes the salt length calculation when PSSSaltLengthAuto option is set in rsa sign request.

- crypto/rsa: fix salt length calculation with PSSSaltLengthAuto
  Done

- Patch Set #1, Line 9:

The existing implementation wrongly calculates the salt length when PSSSaltLengthAuto is set.
The maximum salt length should equals modulus_key_size/8 - hash_length - 2.

e.g. with a 4096 bit modulus key and SHA-1 hash, the maximum salt length becomes (4096/8) - 20 - 2 = 490.

When PSSSaltLength is set, the maximum salt length must equal: […]

Done

Patchset:
- Patch Set #2:
  I have also added the unit test case as per suggestion.
  Please review.

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Mar 17, 2021, 12:18:55 PM3/17/21

to Himanshu Kishna Srivastava, goph...@pubsubhelper.golang.org, Roland Shoemaker, Katie Hockman, Go Bot, Filippo Valsorda, Adam Langley, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Himanshu Kishna Srivastava, Filippo Valsorda.

Patch set 2:Run-TryBot +1Code-Review +1Trust +1

View Change

1 comment:

Patchset:
- Patch Set #2:
  Thanks!

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Mar 17, 2021, 12:18:55 PM3/17/21

to Himanshu Kishna Srivastava, goph...@pubsubhelper.golang.org, Adam Langley, Roland Shoemaker, Katie Hockman, Go Bot, Filippo Valsorda, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Himanshu Kishna Srivastava, Filippo Valsorda.

Emmanuel Odeke removed Adam Langley from this change.

View Change

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Filippo Valsorda (Gerrit)

unread,

Mar 22, 2021, 11:12:09 AM3/22/21

to Himanshu Kishna Srivastava, goph...@pubsubhelper.golang.org, Filippo Valsorda, Go Bot, Roland Shoemaker, Katie Hockman, Emmanuel Odeke, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Himanshu Kishna Srivastava.

Patch set 2:Code-Review +2

View Change

2 comments:

File src/crypto/rsa/pss.go:
- Patch Set #2, Line 272: saltLength = (priv.N.BitLen() / 8) - 2 - hash.Size()
  Technically I think this is supposed to be
```
    (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()
```
File src/crypto/rsa/pss_test.go:
- Patch Set #2, Line 237: key, err := GenerateKey(rand.Reader, 2049)
  Running GenerateKey at every test run is pretty expensive. Instead, hardcode a 2049 bit key, and add a comment saying it's intentionally 2049 bits as a test for Issue 42741. Thank you!

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 23, 2021, 1:30:00 PM3/23/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Himanshu Kishna Srivastava.

Himanshu Kishna Srivastava uploaded patch set #3 to this change.

View Change

crypto/rsa: fix salt length calculation with PSSSaltLengthAuto


When PSSSaltLength is set, the maximum salt length must equal:

    (modulus_key_size - 1 + 7)/8 - hash_length - 2


and for example, with a 4096 bit modulus key, and a SHA-1 hash,
it should be:

     (4096 -1 + 7)/8 - 20 - 2 = 490


Previously we'd encounter this error:

     crypto/rsa: key size too small for PSS signature

Fixes #42741

Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
---
M src/crypto/rsa/pss.go
M src/crypto/rsa/pss_test.go
2 files changed, 20 insertions(+), 2 deletions(-)

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 23, 2021, 1:42:26 PM3/23/21

to goph...@pubsubhelper.golang.org, Filippo Valsorda, Go Bot, Roland Shoemaker, Katie Hockman, Emmanuel Odeke, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Filippo Valsorda.

View Change

3 comments:

Patchset:
- Patch Set #3:
  I have made the changes as per your review comment in file pss.go.
  But for pss_test.go I have used a key of length 513.
  The issue is also reproducible with 513 length also. I am avoiding hard code rsa key to make the code simple and clean.I also find that rsa keygenerate is used instead of hardcoding of rsa keys.
  Also, I feel it saves the break failure with GenerateKey in future.
  Please share your opinion on the same.
File src/crypto/rsa/pss.go:

- Patch Set #2, Line 272: saltLength = (priv.N.BitLen() / 8) - 2 - hash.Size()

- Technically I think this is supposed to be […]
  Agreed. This is the better fix. Thanks.
  I have done the changes.
  Please review.
File src/crypto/rsa/pss_test.go:

- Patch Set #2, Line 237: key, err := GenerateKey(rand.Reader, 2049)

- Running GenerateKey at every test run is pretty expensive. […]
  This issue is also reproducible when the size of the key is 513 etc.
  Will it be fine if I use key length of 513 here as this will be very less expensive
  task in comparison to generate key of length 2049.
  I am avoiding hard-coding of key to make code simple and avoid any functionality break with GenerateKey in future.

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Mar 24, 2021, 9:07:19 AM3/24/21

to Himanshu Kishna Srivastava, goph...@pubsubhelper.golang.org, Filippo Valsorda, Go Bot, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Filippo Valsorda.

Patch set 3:Run-TryBot +1Code-Review +2Trust +1

View Change

1 comment:

Patchset:
- Patch Set #3:
  LGTM, thank you Himanshu. Please take another look Filippo.
  RELNOTE=yes

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 25, 2021, 7:10:16 AM3/25/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Filippo Valsorda, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Filippo Valsorda.

Hello All,

Please review the changes. Please let me know if you have any review comment.

Regards

Himanshu

View Change

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Himanshu Srivastava

unread,

Mar 25, 2021, 1:16:29 PM3/25/21

to change...@go-review.googlesource.com, goph...@pubsubhelper.golang.org, Emmanuel Odeke, Filippo Valsorda, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Hello All,

Please review the changes. Please let me know if you have any review comment.

Regards

Himanshu

On Wed, Mar 24, 2021, 6:53 PM Go Bot (Gerrit) <noreply-gerritcodereview-knnQKhH6tCoSuXBZTOBSug==@google.com> wrote:

Attention is currently required from: Katie Hockman, Roland Shoemaker, Filippo Valsorda.

TryBots are happy.
Patch set 3:TryBot-Result +1

View Change
To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: go

Gerrit-Branch: master

Gerrit-Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5

Gerrit-Change-Number: 302230

Gerrit-PatchSet: 3

Gerrit-Owner: Himanshu Kishna Srivastava <28him...@gmail.com>

Gerrit-Reviewer: Emmanuel Odeke <emma...@orijtech.com>

Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>

Gerrit-Reviewer: Go Bot <go...@golang.org>

Gerrit-Reviewer: Katie Hockman <ka...@golang.org>

Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>

Gerrit-Attention: Katie Hockman <ka...@golang.org>

Gerrit-Attention: Roland Shoemaker <rol...@golang.org>

Gerrit-Attention: Filippo Valsorda <fil...@golang.org>

Gerrit-Comment-Date: Wed, 24 Mar 2021 13:23:07 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: Yes

Gerrit-MessageType: comment

Himanshu Srivastava

unread,

Mar 29, 2021, 10:16:52 AM3/29/21

to change...@go-review.googlesource.com, goph...@pubsubhelper.golang.org, Emmanuel Odeke, Filippo Valsorda, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Hello All,

A gentle reminder. Any review comment.

Regards

Himanshu

Himanshu Kishna Srivastava (Gerrit)

unread,

Mar 29, 2021, 10:17:02 AM3/29/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Filippo Valsorda, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Attention is currently required from: Katie Hockman, Roland Shoemaker, Filippo Valsorda.

Hello All,

A gentle reminder. Any review comment.

Regards

Himanshu

View Change

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Filippo Valsorda (Gerrit)

unread,

Mar 29, 2021, 11:20:18 AM3/29/21

to Himanshu Kishna Srivastava, Filippo Valsorda, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go Bot, Emmanuel Odeke, Roland Shoemaker, Katie Hockman, golang-co...@googlegroups.com

Filippo Valsorda submitted this change.

View Change

Approvals:
  Emmanuel Odeke: Looks good to me, approved; Trusted; Run TryBots
  Filippo Valsorda: Looks good to me, approved
  Go Bot: TryBots succeeded

crypto/rsa: fix salt length calculation with PSSSaltLengthAuto

When PSSSaltLength is set, the maximum salt length must equal:

    (modulus_key_size - 1 + 7)/8 - hash_length - 2
and for example, with a 4096 bit modulus key, and a SHA-1 hash,
it should be:

     (4096 -1 + 7)/8 - 20 - 2 = 490
Previously we'd encounter this error:

     crypto/rsa: key size too small for PSS signature

Fixes #42741

Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5

Reviewed-on: https://go-review.googlesource.com/c/go/+/302230
Reviewed-by: Emmanuel Odeke <emma...@orijtech.com>
Reviewed-by: Filippo Valsorda <fil...@golang.org>
Trust: Emmanuel Odeke <emma...@orijtech.com>
Run-TryBot: Emmanuel Odeke <emma...@orijtech.com>
TryBot-Result: Go Bot <go...@golang.org>


---
M src/crypto/rsa/pss.go
M src/crypto/rsa/pss_test.go
2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
index b2adbed..814522d 100644


--- a/src/crypto/rsa/pss.go
+++ b/src/crypto/rsa/pss.go
@@ -269,7 +269,7 @@
 	saltLength := opts.saltLength()
 	switch saltLength {
 	case PSSSaltLengthAuto:
-		saltLength = priv.Size() - 2 - hash.Size()

+		saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()


 	case PSSSaltLengthEqualsHash:
 		saltLength = hash.Size()
 	}

diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
index dfa8d8b..c3a6d46 100644
--- a/src/crypto/rsa/pss_test.go
+++ b/src/crypto/rsa/pss_test.go
@@ -12,7 +12,7 @@
 	_ "crypto/md5"
 	"crypto/rand"
 	"crypto/sha1"
-	_ "crypto/sha256"
+	"crypto/sha256"
 	"encoding/hex"
 	"math/big"
 	"os"
@@ -233,6 +233,24 @@
 	}
 }
 
+func TestSignWithPSSSaltLengthAuto(t *testing.T) {
+	key, err := GenerateKey(rand.Reader, 513)
+	if err != nil {
+		t.Fatal(err)
+	}
+	digest := sha256.Sum256([]byte("message"))
+	signature, err := key.Sign(rand.Reader, digest[:], &PSSOptions{
+		SaltLength: PSSSaltLengthAuto,
+		Hash:       crypto.SHA256,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(signature) == 0 {
+		t.Fatal("empty signature returned")
+	}
+}
+
 func bigFromHex(hex string) *big.Int {
 	n, ok := new(big.Int).SetString(hex, 16)
 	if !ok {

To view, visit change 302230. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward