2

I have a public key, a message and a signature. I want to verify that the signature is correct using SHA-384/PSS signer from PointyCastle.

I managed to build something but the signature verification fails and I suppose it is because of salt parameter which I don't know how to build/create it.

  var rsaPublicKey = RSAPublicKey.fromPEM(publicKey);

  final signer = Signer('SHA-384/PSS');
  AsymmetricKeyParameter<RSAAsymmetricKey> keyParams =
      PublicKeyParameter<RSAPublicKey>(rsaPublicKey.asPointyCastle);
  signer.init(
    false,
    ParametersWithSalt(keyParams, Uint8List()), // THIS is the salt 
  );
  final sig = PSSSignature(base64Decode(signature));

  final verified = signer.verifySignature(
    Uint8List.fromList(message.codeUnits),
    sig,
  );

I'm not sure what to pass to the second parameter of ParametersWithSalt(keyParams, Uint8List() needed to initialise the signer.

Any hint is highly appreciated.

Gyuri Majercsik
  • 2,141
  • 1
  • 17
  • 29
  • 1
    It seems to me that [`PSSSigner`](https://pub.dev/documentation/pointycastle/latest/impl.signer.pss_signer/PSSSigner-class.html) has a lot more properties to play around with, for instance you can set the mgf1 hash within the constructor. The salt doesn't need to be specified for the verifier if I remember correctly, so directly using `keyParams` would make more sense. – Maarten Bodewes Jun 04 '21 at 16:05
  • 2
    In PSS, not the salt, but only the salt length is a PSS parameter. Nevertheless, both `Signer` and `PSSSigner` require a salt via `init()`. `init()` accepts for PSS only `ParametersWithSalt()` and `ParametersWithSaltConfiguration()`. The latter does not require a salt though, only a salt length, but is not accepted for verification. Unfortunately, I haven’t found a Pointycastle/PSS example in the documentation (and on the web) _without_ salt specification. Maybe there is a way to verify a PSS signature without salt specification that's just hard to find, but maybe it's just wrong designed. – Topaco Jun 05 '21 at 11:30
  • 1
    The salt is included in the signature, so if you have to explicitly give it to the verifier then something is very wrong. – Maarten Bodewes Jun 06 '21 at 01:40
  • @Topaco, Maarten, thanks for the input. Actually, there is a Flutter plugin doing this: https://pub.dev/packages/fast_rsa . It does not require any salt for verification. I wanted to replace it in order to write unit tests which actually does the verification. I cannot do this with fast_rsa because it has only Android and iOS implementation. – Gyuri Majercsik Jun 06 '21 at 18:25

0 Answers0