pkcs7: add RSA-PSS support for SignedData

Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

.github/workflows/os-check.yml

@@ -53,6 +53,8 @@ jobs:
           '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
           '--enable-opensslall --enable-opensslextra
             CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
+          # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)
+          '--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS',
           '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
           '--enable-opensslextra=x509small',
           'CPPFLAGS=''-DWOLFSSL_EXTRA'' ',

doc/dox_comments/header_files/cryptocb.h

@@ -52,6 +52,18 @@
                 }
             }
         #endif
+        #if defined(WC_RSA_PSS) && !defined(NO_RSA)
+            if (info->pk.type == WC_PK_TYPE_RSA_PSS) {
+                /* RSA-PSS sign/verify (e.g. PKCS#7 SignedData, X.509).
+                 * Uses info->pk.rsa (in/inLen = digest, out/outLen = signature,
+                 * key, rng). With WOLF_CRYPTO_CB_RSA_PAD, info->pk.rsa.padding
+                 * supplies hash and salt length. */
+                ret = wc_RsaFunction(info->pk.rsa.in, info->pk.rsa.inLen,
+                    info->pk.rsa.out, info->pk.rsa.outLen, info->pk.rsa.type,
+                    info->pk.rsa.key, info->pk.rsa.rng);
+                break;
+            }
+        #endif
         #ifdef HAVE_ECC
             if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
                 // ECDSA

doc/dox_comments/header_files/doxygen_pages.h

@@ -51,6 +51,7 @@
         <li>\ref MD5</li>
         <li>\ref Password</li>
         <li>\ref PKCS7</li>
+        <li>\ref PKCS7_RSA_PSS</li>
         <li>\ref PKCS11</li>
         <li>\ref Poly1305</li>
         <li>\ref RIPEMD</li>
@@ -97,4 +98,13 @@
     \sa wc_CryptoCb_AesSetKey
     \sa \ref Crypto Callbacks
 */
+/*!
+    \page PKCS7_RSA_PSS PKCS#7 RSA-PSS (CMS)
+    PKCS#7 SignedData supports RSA-PSS signers (CMS RSASSA-PSS). When WC_RSA_PSS
+    is defined, use wc_PKCS7_InitWithCert with a signer certificate that has
+    RSA-PSS (id-RSASSA-PSS) and set hashOID and optional rng; encode produces
+    full RSASSA-PSS-params (hashAlgorithm, mgfAlgorithm, saltLength,
+    trailerField). Verify accepts NULL, empty, or absent parameters with
+    RFC defaults. See \ref PKCS7 for the main API.
+*/
 

doc/dox_comments/header_files/pkcs7.h

@@ -147,7 +147,7 @@ int  wc_PKCS7_EncodeData(wc_PKCS7* pkcs7, byte* output,
 
     \brief This function builds the PKCS7 signed data content type, encoding
     the PKCS7 structure into a buffer containing a parsable PKCS7
-    signed data packet.
+    signed data packet. For RSA-PSS signers (WC_RSA_PSS), see \ref PKCS7_RSA_PSS.
 
     \return Success On successfully encoding the PKCS7 data into the buffer,
     returns the index parsed up to in the PKCS7 structure. This index also

examples/configs/README.md

@@ -23,7 +23,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 * `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
 * `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint.
 * `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites.
-* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing.
+* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing. For RSA-PSS SignedData (CMS RSASSA-PSS), define `WC_RSA_PSS`; see doxygen \ref PKCS7_RSA_PSS.
 * `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP.
 * `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
 * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.

examples/configs/user_settings_pkcs7.h

@@ -115,6 +115,7 @@ extern "C" {
     #undef NO_RSA
     #define WOLFSSL_KEY_GEN
     #define WC_RSA_NO_PADDING
+    #define WC_RSA_PSS  /* RSA-PSS SignedData (id-RSASSA-PSS); see PKCS7_RSA_PSS */
 #else
     #define NO_RSA
 #endif

tests/api/test_pkcs7.c

@@ -947,6 +947,92 @@ int test_wc_PKCS7_EncodeSignedData(void)
 } /* END test_wc_PKCS7_EncodeSignedData */
 
 
+/*
+ * Testing wc_PKCS7_EncodeSignedData() with RSA-PSS signer certificate.
+ * Uses certs/rsapss/client-rsapss.der and client-rsapss-priv.der.
+ * Requires both encode and round-trip verify to succeed.
+ */
+#if defined(HAVE_PKCS7) && defined(WC_RSA_PSS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM) && !defined(NO_SHA256)
+int test_wc_PKCS7_EncodeSignedData_RSA_PSS(void)
+{
+    EXPECT_DECLS;
+    PKCS7*    pkcs7 = NULL;
+    WC_RNG    rng;
+    byte      output[FOURK_BUF];
+    byte      cert[FOURK_BUF];
+    byte      key[FOURK_BUF];
+    word32    outputSz = (word32)sizeof(output);
+    word32    certSz = 0;
+    word32    keySz = 0;
+    XFILE     fp = XBADFILE;
+    byte      data[] = "Test data for RSA-PSS SignedData.";
+
+    XMEMSET(&rng, 0, sizeof(WC_RNG));
+    XMEMSET(output, 0, outputSz);
+    XMEMSET(cert, 0, sizeof(cert));
+    XMEMSET(key, 0, sizeof(key));
+
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+    ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
+
+    ExpectTrue((fp = XFOPEN("./certs/rsapss/client-rsapss.der", "rb")) != XBADFILE);
+    ExpectIntGT(certSz = (word32)XFREAD(cert, 1, sizeof(cert), fp), 0);
+    if (fp != XBADFILE) {
+        XFCLOSE(fp);
+        fp = XBADFILE;
+    }
+
+    ExpectTrue((fp = XFOPEN("./certs/rsapss/client-rsapss-priv.der", "rb")) != XBADFILE);
+    ExpectIntGT(keySz = (word32)XFREAD(key, 1, sizeof(key), fp), 0);
+    if (fp != XBADFILE)
+        XFCLOSE(fp);
+
+    ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
+
+#ifdef WC_RSA_PSS
+    /* Force RSA-PSS so SignerInfo uses id-RSASSA-PSS (cert may use RSA in subjectPublicKeyInfo) */
+    pkcs7->publicKeyOID = RSAPSSk;
+#endif
+
+    pkcs7->content       = data;
+    pkcs7->contentSz     = (word32)sizeof(data);
+    pkcs7->contentOID    = DATA;
+    pkcs7->hashOID       = SHA256h;
+    pkcs7->encryptOID    = RSAk;
+    pkcs7->privateKey    = key;
+    pkcs7->privateKeySz  = keySz;
+    pkcs7->rng           = &rng;
+    pkcs7->signedAttribs = NULL;
+    pkcs7->signedAttribsSz = 0;
+
+    /* EncodeSignedData with RSA-PSS cert: require encode and verify success */
+    {
+        int outLen = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+        ExpectIntGT(outLen, 0);
+        if (outLen > 0) {
+            int verifyRet = wc_PKCS7_VerifySignedData(pkcs7, output, (word32)outLen);
+            ExpectIntEQ(verifyRet, 0);
+
+            /* Verify decoded RSASSA-PSS parameters match what we encoded:
+             *   hashAlgorithm  = SHA-256
+             *   maskGenAlgorithm = MGF1-SHA-256
+             *   saltLength     = 32 (== SHA-256 digest length) */
+            ExpectIntEQ(pkcs7->pssHashType, (int)WC_HASH_TYPE_SHA256);
+            ExpectIntEQ(pkcs7->pssMgf, WC_MGF1SHA256);
+            ExpectIntEQ(pkcs7->pssSaltLen, 32);
+        }
+    }
+
+    wc_PKCS7_Free(pkcs7);
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+
+    return EXPECT_RESULT();
+} /* END test_wc_PKCS7_EncodeSignedData_RSA_PSS */
+#endif
+
+
 /*
  * Testing wc_PKCS7_EncodeSignedData_ex() and wc_PKCS7_VerifySignedData_ex()
  */

tests/api/test_pkcs7.h

@@ -29,6 +29,10 @@ int test_wc_PKCS7_Init(void);
 int test_wc_PKCS7_InitWithCert(void);
 int test_wc_PKCS7_EncodeData(void);
 int test_wc_PKCS7_EncodeSignedData(void);
+#if defined(HAVE_PKCS7) && defined(WC_RSA_PSS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM) && !defined(NO_SHA256)
+int test_wc_PKCS7_EncodeSignedData_RSA_PSS(void);
+#endif
 int test_wc_PKCS7_EncodeSignedData_ex(void);
 int test_wc_PKCS7_VerifySignedData_RSA(void);
 int test_wc_PKCS7_VerifySignedData_ECC(void);
@@ -55,10 +59,19 @@ int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void);
     TEST_DECL_GROUP("pkcs7", test_wc_PKCS7_New),                \
     TEST_DECL_GROUP("pkcs7", test_wc_PKCS7_Init)
 
+#if defined(HAVE_PKCS7) && defined(WC_RSA_PSS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM) && !defined(NO_SHA256)
+#define TEST_PKCS7_RSA_PSS_SD_DECL \
+    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeSignedData_RSA_PSS),
+#else
+#define TEST_PKCS7_RSA_PSS_SD_DECL
+#endif
+
 #define TEST_PKCS7_SIGNED_DATA_DECLS                                    \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_InitWithCert),            \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeData),              \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeSignedData),        \
+    TEST_PKCS7_RSA_PSS_SD_DECL                                           \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeSignedData_ex),     \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_RSA),    \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_ECC),    \

wolfcrypt/src/aes.c

@@ -47,6 +47,11 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
 
 #include <wolfssl/wolfcrypt/aes.h>
 
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wlanguage-extension-token"
+#endif
+
 #ifdef WOLFSSL_AESNI
 #include <wmmintrin.h>
 #include <emmintrin.h>
@@ -17141,5 +17146,8 @@ int wc_AesCtsDecryptFinal(Aes* aes, byte* out, word32* outSz)
 
 #endif /* WOLFSSL_AES_CTS */
 
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#endif
 
 #endif /* !NO_AES */