Fortuna

Ready to strengthen your defenses?

Let's discuss your next
security milestone
CONTACT
CASE STUDIES
RUSTCRYPTO: RSA-PSS INTEROPERABILITY

We updated the RustCrypto RSA library to improve interoperability for RSA signature verification

CLIENT

RustCrypto: RSA-PSS Interoperability

SERVICE

Research

INDUSTRY

Crypto

YEAR

2025

Fortuna enhanced the RustCrypto RSA library to securely verify legacy RSA-PSS signatures with unspecified salt lengths. Our solution ensures full interoperability while maintaining constant-time execution, enabling Rust applications to work safely with legacy systems and varying OpenSSL defaults.

Problem

Standard RSA-PSS requires the verifier to know the exact salt length used by the signer. Ideally, the protocol defines this or communicates it out-of-band. Unfortunately, some systems do not provide this information, forcing the verifier to determine the salt otherwise.

This issue is compounded by widely used tools:

  • Unspecified Defaults: OpenSSL and the Node.js Crypto API allow signing without specifying a salt length.
  • Version Variance: When signing without a specification, these tools use a default value that can vary by version.
  • Non-Standard Verification: OpenSSL uses a non-standard detection approach to verify these signatures.

This behavior causes significant interoperability problems for any cryptographic scheme built on these underspecified foundations.

Solution

We implemented salt-length auto-detection to support these systems. While a previous version of the library attempted this, it was removed due to security concerns.

We successfully reintroduced the feature by ensuring strict safety and correctness:

  • Constant-Time Execution: We engineered the implementation to run in constant time, preventing side-channel timing attacks.
  • Explicit API: We created an intentional API function to handle this. It avoids "background magic," requiring the developer to opt-in explicitly.
  • Context & Testing: We documented exactly when this feature is required and provided unit tests to demonstrate its correct usage.

Key results

01

The RustCrypto RSA module merged our changes quickly. Our approach solved the problem while adhering to strict security standards.

02

By using our `new_with_auto_salt_len` constructor, developers can reliably verify RSA-PSS signatures where the salt length is unknown. This works even with the varying defaults found in OpenSSL.

03

Crucially, this allows Rust applications to interoperate with these legacy systems without risking the constant-time nature of the operation and without relying on external C libraries.

Explore related
case studies

Arweave

SERVICE

Research

YEAR

2025

ArS3nal gateway: A secure native Rust solution for Arweave

We developed a comprehensive, native Rust client to power ArS3nal, an S3-compatible gateway for Arweave.

EXPLOREEXPLORE

Client: Confidential

SERVICE

Penetration Testing

YEAR

2024

External cloud test reveals full AWS environment compromise

A global consulting firm hired Fortuna for a high-impact external penetration test of their AWS-hosted systems to uncover real-world attack paths.

EXPLOREEXPLORE

Let's discuss your next security or compliance milestone

Scale with securityScale with security