fix: Make OpenSSL code path enforce COSE specified salt length (#1376)

mauricefisher64 · web-flow · commit 74bb71d2c68d · 2025-09-04T16:49:18.000-04:00
Make OpenSSL code path enforce Cose specified salt length.
diff --git a/sdk/src/crypto/raw_signature/openssl/validators/rsa_validator.rs b/sdk/src/crypto/raw_signature/openssl/validators/rsa_validator.rs
@@ -15,7 +15,7 @@ use openssl::{
     hash::MessageDigest,
     pkey::PKey,
     rsa::{Padding, Rsa},
-    sign::Verifier,
+    sign::{RsaPssSaltlen, Verifier},
 };
 
 use crate::crypto::raw_signature::{
@@ -58,21 +58,23 @@ impl RawSignatureValidator for RsaValidator {
                 let mut verifier = Verifier::new(MessageDigest::sha256(), &public_key)?;
                 verifier.set_rsa_padding(Padding::PKCS1_PSS)?;
                 verifier.set_rsa_mgf1_md(MessageDigest::sha256())?;
+                verifier.set_rsa_pss_saltlen(RsaPssSaltlen::DIGEST_LENGTH)?;
                 verifier
             }
 
             Self::Ps384 => {
                 let mut verifier = Verifier::new(MessageDigest::sha384(), &public_key)?;
                 verifier.set_rsa_padding(Padding::PKCS1_PSS)?;
                 verifier.set_rsa_mgf1_md(MessageDigest::sha384())?;
-
+                verifier.set_rsa_pss_saltlen(RsaPssSaltlen::DIGEST_LENGTH)?;
                 verifier
             }
 
             Self::Ps512 => {
                 let mut verifier = Verifier::new(MessageDigest::sha512(), &public_key)?;
                 verifier.set_rsa_padding(Padding::PKCS1_PSS)?;
                 verifier.set_rsa_mgf1_md(MessageDigest::sha512())?;
+                verifier.set_rsa_pss_saltlen(RsaPssSaltlen::DIGEST_LENGTH)?;
                 verifier
             }
         };
