pkcs7: add RSA-PSS support for SignedData#9742
Open
sameehj wants to merge 2 commits intowolfSSL:masterfrom
Open
pkcs7: add RSA-PSS support for SignedData#9742sameehj wants to merge 2 commits intowolfSSL:masterfrom
sameehj wants to merge 2 commits intowolfSSL:masterfrom
Conversation
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
6 times, most recently
from
c4749c5 to
38bcb07
Compare
Contributor
Author
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
16 times, most recently
from
a4ff167 to
2f8e307
Compare
Contributor
Author
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
from
2f8e307 to
1185846
Compare
Contributor
Author
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
2 times, most recently
from
cb9f6e4 to
d4d412b
Compare
sameehj
requested review from
LinuxJedi,
douzzer,
jackctj117 and
julek-wolfssl
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
from
d4d412b to
d0f84c8
Compare
sameehj
requested review from
wolfSSL-Bot
and removed request for
LinuxJedi,
SparkiDev,
dgarske,
jackctj117 and
julek-wolfssl
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds CMS/PKCS#7 SignedData support for RSA-PSS (id-RSASSA-PSS) by encoding/decoding RSASSA-PSS-params and adding RSA-PSS sign/verify paths alongside existing RSA PKCS#1 v1.5 and ECDSA handling.
Changes:
- Add RSA-PSS signing and verification support in PKCS7 SignedData, including RSASSA-PSS parameter parsing/encoding.
- Fix/adjust ASN.1 helpers to support decoding RSA-PSS parameters in template/non-template builds and improve RSA public-key decode behavior.
- Add RSA-PSS API test coverage, documentation updates, and CI build coverage for
WC_RSA_PSS.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/pkcs7.h | Adds fields to store decoded RSA-PSS params for verification. |
| wolfssl/wolfcrypt/asn.h | Declares internal helpers to encode/decode RSASSA-PSS params. |
| wolfcrypt/src/pkcs7.c | Implements RSA-PSS sign/verify paths and parses/encodes RSASSA-PSS AlgorithmIdentifier parameters. |
| wolfcrypt/src/asn.c | Implements manual RSASSA-PSS params parsing and adds RSASSA-PSS AlgorithmIdentifier encoding helper; adjusts ASN helpers/length handling. |
| wolfcrypt/src/aes.c | Adds Clang diagnostic push/pop around the file. |
| tests/api/test_pkcs7.h | Registers the new RSA-PSS SignedData API test behind feature guards. |
| tests/api/test_pkcs7.c | Adds test_wc_PKCS7_EncodeSignedData_RSA_PSS with encode + round-trip verify. |
| examples/configs/user_settings_pkcs7.h | Enables WC_RSA_PSS in the PKCS#7 config template. |
| examples/configs/README.md | Documents enabling RSA-PSS SignedData via WC_RSA_PSS. |
| doc/dox_comments/header_files/pkcs7.h | Adds doxygen reference for RSA-PSS usage. |
| doc/dox_comments/header_files/doxygen_pages.h | Adds a new doxygen page PKCS7_RSA_PSS. |
| doc/dox_comments/header_files/cryptocb.h | Documents crypto-callback behavior for RSA-PSS operations. |
| .wolfssl_known_macro_extras | Minor macro list adjustment. |
| .github/workflows/os-check.yml | Adds CI build variant enabling PKCS7 + WC_RSA_PSS. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
2 times, most recently
from
51eb550 to
a0edf71
Compare
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData encoding and verification. This change enables SignerInfo.signatureAlgorithm to use id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1, salt length), as required by RFC 4055 and CMS profiles. Key changes: - Add RSA-PSS encode and verify paths for PKCS7 SignedData - Encode full RSASSA-PSS AlgorithmIdentifier parameters - Decode RSA-PSS parameters from SignerInfo for verification - Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo) - Fix certificate signatureAlgorithm parameter length handling - Add API test coverage for RSA-PSS SignedData This resolves failures when using RSA-PSS signer certificates (e.g. -173 invalid signature algorithm) and maintains backward compatibility with RSA PKCS#1 v1.5 and ECDSA. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
The revoked-cert verification check uses `echo "$var" | grep -q` to look for "revoked" or "error 23" in the openssl verify output. With `set -o pipefail`, when grep -q finds the pattern and exits early, echo may fail writing to the closed pipe (SIGPIPE/EPIPE, exit 141 or 1). pipefail reports the pipeline status as that non-zero code from echo, even though grep matched successfully. The `!` negation then treats this as success (pattern not found), causing the test to incorrectly report failure. Replace echo|grep pipelines with bash [[ ]] glob pattern matching, which avoids pipes entirely and is immune to this interaction. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
from
a0edf71 to
e29ff91
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData encoding and verification.
This change enables
SignerInfo.signatureAlgorithmto use id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1, salt length), as required by RFC 4055 and CMS profiles.Key changes:
This resolves failures when using RSA-PSS signer certificates (e.g. -173 invalid signature algorithm) and maintains backward compatibility with RSA PKCS#1 v1.5 and ECDSA.
Testing
test_wc_PKCS7_EncodeSignedData_RSA_PSS(guarded byHAVE_PKCS7,WC_RSA_PSS, RSA, filesystem, SHA-256). Usescerts/rsapss/client-rsapss.derandclient-rsapss-priv.der; encodes SignedData and optionally round-trip verifies.os-check.ymlupdated with build--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS.Checklist