Change PKCS_RSA_PSS_SHA256 salt_len to 32

The default salt_len value for RSA PSS SHA256 is the current value, 20. However, the only application that we currently know can use the generated RSA PSS CSRs is Parsec https://github.com/parallaxsecond/parsec which requires a salt length of 32 to work with OPENSSL. * Change this value to 32 to be compatible with Parsec. On this topic, the spec states: "When signing, it is RECOMMENDED that the parameters, except for possibly saltLength, remain fixed for all usages of a given RSA key pair"; and this is the value we are changing. Signed-off-by: Tomás González <[email protected]>
rustls · May 8, 2024 · b55c51f · b55c51f
1 parent cf26b59
commit b55c51f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
@@ -160,7 +160,7 @@ pub(crate) mod algo {
 		params: SignatureAlgorithmParams::RsaPss {
 			// id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1
 			hash_algorithm: &[2, 16, 840, 1, 101, 3, 4, 2, 1],
-			salt_length: 20,
+			salt_length: 32,
 		},
 	};