Recent Italian e-passports use rsassaPss/SHA512 for Document Signing Certificate.
The signature verification fails with OpenSSL error:
ERROR: code: 67625095, reason: error:0407E087:rsa routines:RSA_verify_PKCS1_PSS_mgf1:salt length recovery failed
The static method verifySignature() in OpenSSLUtils class set the digest to SHA256 based on the string "rsassapss" instead of using the correct hashing algorithm.
Sorry to report this issue, I'm sure there is/was a reason for the code above but I don't know much about digital certificate standards and formats. Currently it fails the verification for rsassaPss/SHA512 signatures. I temporarily fixed the issue in my local code by passing the hashing algorithm string from the signed attributes as an extra parameters to use only in case of a "rsassapss" to the mentioned method.
Recent Italian e-passports use rsassaPss/SHA512 for Document Signing Certificate. The signature verification fails with OpenSSL error:
ERROR: code: 67625095, reason: error:0407E087:rsa routines:RSA_verify_PKCS1_PSS_mgf1:salt length recovery failedThe static method verifySignature() in OpenSSLUtils class set the digest to SHA256 based on the string "rsassapss" instead of using the correct hashing algorithm.
Sorry to report this issue, I'm sure there is/was a reason for the code above but I don't know much about digital certificate standards and formats. Currently it fails the verification for rsassaPss/SHA512 signatures. I temporarily fixed the issue in my local code by passing the hashing algorithm string from the signed attributes as an extra parameters to use only in case of a "rsassapss" to the mentioned method.