PSS code question
ueno at unixuser.org
Thu Jun 9 15:23:13 CEST 2011
Werner Koch <wk at gnupg.org> writes:
> Is there a reason why you use (ctx->nbits - 1) when passing the size of
> the key to the OAEP and PSS functions? The functions round them to full
> bytes anyway but there at least in PSS some leading bits are cleared
> depending on the number of bits (i.e. if not a multiple of 8).
For PSS, that is defined in RFC3447 8.1.1:
EM = EMSA-PSS-ENCODE (M, modBits - 1).
Note that the octet length of EM will be one less than k if
modBits - 1 is divisible by 8 and equal to k otherwise.
IIUC, this is necessary to make sure EM is smaller than RSA modulus n.
More information about the Gcrypt-devel