fix: use correct salt length for RSASSA-PSS

https://tools.ietf.org/html/rfc7518 section 3.5 states that the size of
the salt value is the same size as the hash function output.

This is to accomodate that requirement and achieve interop with other
conform implementations. This also prompted enforcing the proper key
sizes.

lib/jwa/index.js

@@ -13,6 +13,7 @@ const JWA = {
 require('./hmac')(JWA)
 require('./ecdsa')(JWA)
 require('./rsassa')(JWA)
+require('./rsassa_pss')(JWA)
 
 // encrypt, decrypt
 require('./aes_cbc_hmac_sha2')(JWA)

lib/jwa/rsassa.js

@@ -1,51 +1,39 @@
 const { strict: assert } = require('assert')
-const { createSign, createVerify, constants } = require('crypto')
+const { createSign, createVerify } = require('crypto')
 
 const { KEYOBJECT } = require('../help/symbols')
 
 const resolveNodeAlg = (alg) => {
  switch (alg) {
- case 'PS256':
  case 'RS256':
  return 'RSA-SHA256'
- case 'PS384':
  case 'RS384':
  return 'RSA-SHA384'
- case 'PS512':
  case 'RS512':
  return 'RSA-SHA512'
  }
 }
 
-const resolvePadding = (alg) => {
- if (alg.startsWith('RS')) {
- return constants.RSA_PKCS1_PADDING
- }
-
- return constants.RSA_PKCS1_PSS_PADDING
-}
-
-const sign = (nodeAlg, padding, { [KEYOBJECT]: keyObject }, payload) => {
+const sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
  const sign = createSign(nodeAlg)
  sign.update(payload)
- return sign.sign({ key: keyObject, padding })
+ return sign.sign(keyObject)
 }
 
-const verify = (nodeAlg, padding, { [KEYOBJECT]: keyObject }, payload, signature) => {
+const verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
  const verify = createVerify(nodeAlg)
  verify.update(payload)
- return verify.verify({ key: keyObject, padding }, signature)
+ return verify.verify(keyObject, signature)
 }
 
 module.exports = (JWA) => {
- ['PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512'].forEach((jwaAlg) => {
+ ['RS256', 'RS384', 'RS512'].forEach((jwaAlg) => {
  const nodeAlg = resolveNodeAlg(jwaAlg)
- const padding = resolvePadding(jwaAlg)
 
  assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
  assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)
 
- JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg, padding))
- JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg, padding))
+ JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg))
+ JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg))
  })
 }

lib/jwa/rsassa_pss.js

@@ -0,0 +1,49 @@
+const { strict: assert } = require('assert')
+const { createSign, createVerify, constants } = require('crypto')
+
+const { KEYOBJECT } = require('../help/symbols')
+
+const resolveNodeAlg = (alg) => {
+ switch (alg) {
+ case 'PS256':
+ return 'RSA-SHA256'
+ case 'PS384':
+ return 'RSA-SHA384'
+ case 'PS512':
+ return 'RSA-SHA512'
+ }
+}
+
+const sign = (nodeAlg, { [KEYOBJECT]: keyObject, length }, payload) => {
+ const sign = createSign(nodeAlg)
+ sign.update(payload)
+
+ return sign.sign({
+ key: keyObject,
+ padding: constants.RSA_PKCS1_PSS_PADDING,
+ saltLength: constants.RSA_PSS_SALTLEN_DIGEST
+ })
+}
+
+const verify = (nodeAlg, { [KEYOBJECT]: keyObject, length }, payload, signature) => {
+ const verify = createVerify(nodeAlg)
+ verify.update(payload)
+
+ return verify.verify({
+ key: keyObject,
+ padding: constants.RSA_PKCS1_PSS_PADDING,
+ saltLength: constants.RSA_PSS_SALTLEN_DIGEST
+ }, signature)
+}
+
+module.exports = (JWA) => {
+ ['PS256', 'PS384', 'PS512'].forEach((jwaAlg) => {
+ const nodeAlg = resolveNodeAlg(jwaAlg)
+
+ assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
+ assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)
+
+ JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg))
+ JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg))
+ })
+}