104080 custom rsapss salt length

[henning-krause]

Added support for custom PSS salt length for RSA based signature operations. Resolves #104080.

With this PR, I have extended the RsaSignaturePadding class with a custom salt length as discussed in #104080. I've also updated the CmsSigner and the CertificateRequest class to support this.

CoseSigner did not need functionality updates, because the spec does not support custom salt length. I have added checks to prevent this to be configured on the CoseSigner.

Tests where either added or updated to test the new functionality.

All RSA implementations which support this (MAC doesn't seem to support this) were updated.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This pull request adds support for custom PSS salt length for RSA-based signature operations. The implementation extends the RSASignaturePadding class with a new CreatePss(int saltLength) method and updates related cryptographic components to utilize custom salt lengths.

Key changes include:

• Extended RSASignaturePadding to support custom PSS salt lengths with new constants and factory method
• Updated all RSA implementation backends (OpenSSL, CNG, BCrypt, etc.) to handle custom salt lengths
• Added comprehensive test coverage for various salt length scenarios
• Updated high-level APIs like CmsSigner and CertificateRequest to support the new functionality

Reviewed Changes

Copilot reviewed 40 out of 41 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h	Added pssSaltLength parameter to RSA sign/verify functions
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c	Implemented custom salt length support in OpenSSL backend
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSASignaturePadding.cs	Added CreatePss method, PssSaltLength property, and related constants
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs	Updated to use custom salt lengths from padding configuration
src/libraries/Common/src/System/Security/Cryptography/RsaPaddingProcessor.cs	Modified PSS encoding/verification to accept custom salt lengths
src/libraries/Common/src/System/Security/Cryptography/RsaPaddingProcessor.DigestInfo.cs	Added salt length calculation logic and moved digest info constants
src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/RSAPssX509SignatureGeneratorTests.cs	Added comprehensive tests for custom PSS salt lengths
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs	Updated validation to accept any PSS mode padding
src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSigner.cs	Added validation to prevent custom salt lengths in COSE

[vcsjones]

This is tricky. Right now, .NET 10 is "done". Technically this work will go in for .NET 11. However, the runtime and SDK are not "bumped" to .NET 11 yet so #if NET11_0_OR_GREATER doesn't exist. We might need to wait for this work until #118583 is complete.

[bartonjs]

I've made it about halfway, but have to disappear for a bit, so posting what I've already seen.

[bartonjs]

The exception says the padding "mode" is invalid. Which isn't the case here. The "mode" is PSS, which is valid. So we probably want a new message for the salt size being gibberish (and yet a different one for "that doesn't work here")

[henning-krause]

@bartonjs Given that I followed the suggestion by @vcsjones and implemented validation logic on the RSASignaturePadding.CreatePss method, I think we can't run into this any more. Would it be sufficient to put in a Debug.Assert?

[bartonjs]

Yeah, an assert here is fine given the throw there.

[bartonjs]

Should this also allow a custom value that happens to match?

[bartonjs]

Whether we allow it, or not, there should be a test using 32 (matching SHA256).

[bartonjs]

This is a bit big for InlineData, probably should change to a MemberData using a couple of loops for enhanced legibility.

[bartonjs]

Comment is out of date.

[bartonjs]

Comment is out of date.

[bartonjs]

SHA-1 used to be tested here. And the code doing it is still here. The coverage shouldn't be lost.

[bartonjs]

So why isn't 0 included in the InlineData then?

[bartonjs]

Nit: too many blank lines

Suggested change

	}
	[Theory]
	}
	[Theory]

[bartonjs]

Many uses of var here that are against style guidelines. If you want to keep them when it's permitted, you can, but I'd just change all of them to specify the type.

[bartonjs]

Blank lines before control flow is preferred

Suggested change

	var saltTag = new Asn1Tag(TagClass.ContextSpecific, 2, true);
	if (pssStructure.HasData && pssStructure.PeekTag().HasSameClassAndValue(saltTag))
	var saltTag = new Asn1Tag(TagClass.ContextSpecific, 2, true);
	if (pssStructure.HasData && pssStructure.PeekTag().HasSameClassAndValue(saltTag))

[bartonjs]

Public method requires documentation