From dca66cd8034204831a3876388d07b70c8ca1d327 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 10 Jan 2024 17:03:53 -0800
Subject: [PATCH] Allow rsa.PSSSaltLengthEqualsHash as option

This commit adds support to the salt length set to
rsa.PSSSaltLengthEqualsHash when signing with an RSA key. This is
currently supported, but the user must sspecify the length to the digest
size.

Adding rsa.PSSSaltLengthEqualsHash allows using a key generated by the
TPM for TLS client authentication, Go will set this option by default
if an RSA key is used.

Signed-off-by: Mariano Cano <mariano.cano@gmail.com>
---
 attest/application_key_test.go | 12 ++++++++++++
 attest/wrapped_tpm20.go        |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/attest/application_key_test.go b/attest/application_key_test.go
index 466bd3af..c2ccb806 100644
--- a/attest/application_key_test.go
+++ b/attest/application_key_test.go
@@ -288,6 +288,18 @@ func testKeySign(t *testing.T, tpm *TPM) {
 			},
 			digest: []byte("1234567890123456789012345678901212345678901234567890123456789012"),
 		},
+		{
+			name: "RSA2048-PSS-SHA256, PSSSaltLengthEqualsHash",
+			keyOpts: &KeyConfig{
+				Algorithm: RSA,
+				Size:      2048,
+			},
+			signOpts: &rsa.PSSOptions{
+				SaltLength: rsa.PSSSaltLengthEqualsHash,
+				Hash:       crypto.SHA256,
+			},
+			digest: []byte("12345678901234567890123456789012"),
+		},
 		{
 			name: "RSA2048-PSS-SHA256, explicit salt len",
 			keyOpts: &KeyConfig{
diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go
index 1468c1bd..a43e2260 100644
--- a/attest/wrapped_tpm20.go
+++ b/attest/wrapped_tpm20.go
@@ -652,8 +652,8 @@ func signRSA(rw io.ReadWriter, key tpmutil.Handle, digest []byte, opts crypto.Si
 	}
 
 	if pss, ok := opts.(*rsa.PSSOptions); ok {
-		if pss.SaltLength != rsa.PSSSaltLengthAuto && pss.SaltLength != len(digest) {
-			return nil, fmt.Errorf("PSS salt length %d is incorrect, expected rsa.PSSSaltLengthAuto or %d", pss.SaltLength, len(digest))
+		if pss.SaltLength != rsa.PSSSaltLengthAuto && pss.SaltLength != rsa.PSSSaltLengthEqualsHash && pss.SaltLength != len(digest) {
+			return nil, fmt.Errorf("PSS salt length %d is incorrect, expected rsa.PSSSaltLengthAuto, rsa.PSSSaltLengthEqualsHash or %d", pss.SaltLength, len(digest))
 		}
 		scheme.Alg = tpm2.AlgRSAPSS
 	}