RSA: Python signed message verified in PHP

one text

Solution:

The Python code uses as the salt length. This value denotes the maximum salt length and is recommended in the Cryptography documentation (s. here):

salt_length (int) – The length of the salt. It is recommended that this be set to PSS.MAX_LENGTH

In RFC8017, which specifies PKCS#1 and thus also PSS, the default value of the salt length is defined as the output length of the hash (s. A.2.3. RSASSA-PSS):

For a given hashAlgorithm, the default value of saltLength is the octet length of the hash value.

Most libraries, e.g. PHPSECLIB, apply for the default value of the salt length the default defined in RFC8017, i.e. the output length of the hash (s. here). Therefore the maximum salt length must be set explicitly. The maximum salt length is given by (s. here):

signature length (bytes) - digest output length (bytes) - 2 = 256 - 32 - 2 = 222 

for a 2048 bits key and SHA256.

Thus, the verification in the PHP code must be changed as follows:

$verified = $key->
            withPadding(RSA::SIGNATURE_PSS)->
            //withHash('sha256')->                  // default
            //withMGFHash('sha256')->               // default
            withSaltLength(256-32-2)->              // set maximum salt length
            verify($code, pack('H*', $signature));  // alternatively hex2bin()

Note that in the posted code of the question h (hex string, low nibble first) is specified in the format string of . I' ve chosen the more common H (hex string, high nibble first) in my code snippet which is also compatible with Python's hex(). Ultimately, the format string to choose depends on the encoding applied in the Python code.