PSS code question

Daiki Ueno ueno at
Thu Jun 9 15:23:13 CEST 2011

Werner Koch <wk at> writes:

> Is there a reason why you use (ctx->nbits - 1) when passing the size of
> the key to the OAEP and PSS functions?  The functions round them to full
> bytes anyway but there at least in PSS some leading bits are cleared
> depending on the number of bits (i.e. if not a multiple of 8).

For PSS, that is defined in RFC3447 8.1.1:

         EM = EMSA-PSS-ENCODE (M, modBits - 1).

      Note that the octet length of EM will be one less than k if
      modBits - 1 is divisible by 8 and equal to k otherwise.

IIUC, this is necessary to make sure EM is smaller than RSA modulus n.

Daiki Ueno

More information about the Gcrypt-devel mailing list