FormatPkcs1Pss Method

FormatPkcs1Pss(ReadOnlySpan<byte>, int, int)

Build the digest into a PKCS #1 v2 PSS formatted block for signing (see RFC 8017).

public static byte[] FormatPkcs1Pss(ReadOnlySpan<byte> digest, int digestAlgorithm, int keySizeBits)

Parameters

Type	Name	Description
ReadOnlySpan<byte>	digest	The message digest value to format.
int	digestAlgorithm	The algorithm used to compute the message digest. It must be one of the digest algorithms defined in this class: `RsaFormat.Sha1`, `RsaFormat.Sha256`, and so on.
int	keySizeBits	The size of the key used, in bits. This value must be one of the `RsaFormat.KeySizeBits-x-` values.

Returns

byte[]

A new byte array containing the formatted digest.

Exceptions

Type	Condition
ArgumentException	The digest length does not match the `digestAlgorithm`, or the `digestAlgorithm` is not supported, or the `keySizeBits` is not supported.

Remarks

The PSS (probabilistic signature scheme) padding operation has a number of parameters: hash function, mask generating function, salt length, and trailer field. This method will use the input digestAlgorithm as the hash function, MGF1 as the mask generating function, the digest length as the salt length, and 0xBC as the trailer field.

The default hash function is SHA-1, but the standard recommends using the same hash function in PSS operations as was used to digest the data to sign. Hence, this method will do so. The caller provides the digest (the data to format), along with a flag indicating the algorithm. The algorithm must be one supported by this class: RsaFormat.Sha1, RsaFormat.Sha256, and so on. Note that the length of the digest given must match the digestAlgorithm, otherwise the method will throw an exception.

The default salt length is 20, but the standard recommends using the digest length as the salt length. This method will do that. For example, if the digest is SHA-256, the salt length will be 32. Note that the C# PSS implementation (see the System.Security.Cryptography.RSA class) uses the digest length as the salt length exclusively, the same as this method.

Note that it is not possible to use SHA-512 as the digest algorithm with PSS and a 1024-bit key. The formatted data will be at least 2 times digest length plus two bytes long. So a PSS-formatted block with SHA-512 will be at a minimum (2 * 64) + 2 = 130 bytes long. But with a 1024-bit RSA key, the block is 128 bytes long.

This method will use the random number generator and message digest implementations from CryptographyProviders.

This method supports only keySizeBits values that are defined in this class as KeySizeBits-x-, such as RsaFormat.KeySizeBits1024 (x=1024). You can use one of these values or simply the actual key size in bits. For example, if the key size in bits is 1024, then either RsaFormat.KeySizeBits1024 or 1024 are valid input to this method.