From b55c51f14a48fd6f77987dae993b39600d2fdb51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?=
 <tomasagustin.gonzalezorlando@arm.com>
Date: Wed, 8 May 2024 16:43:23 +0100
Subject: [PATCH] Change PKCS_RSA_PSS_SHA256 salt_len to 32
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default salt_len value for RSA PSS SHA256 is the current value,
20.
However, the only application that we currently know can use the
generated RSA PSS CSRs is Parsec https://github.com/parallaxsecond/parsec
which requires a salt length of 32 to work with OPENSSL.

 * Change this value to 32 to be compatible with Parsec.

On this topic, the spec states:
"When signing, it is RECOMMENDED that the parameters, except for
possibly saltLength, remain fixed for all usages of a given RSA key
pair"; and this is the value we are changing.

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
---
 rcgen/src/sign_algo.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
index 3fe8a0b6..12e698c0 100644
--- a/rcgen/src/sign_algo.rs
+++ b/rcgen/src/sign_algo.rs
@@ -160,7 +160,7 @@ pub(crate) mod algo {
 		params: SignatureAlgorithmParams::RsaPss {
 			// id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1
 			hash_algorithm: &[2, 16, 840, 1, 101, 3, 4, 2, 1],
-			salt_length: 20,
+			salt_length: 32,
 		},
 	};