jwtrsa

Padding in RSA JWT signatures


Does the JWT algorithm code "RS256" imply PKCS1 padding?

In theory, once the signature goes through the reverse RSA algorithm during verification, it's impossible to determine the padding scheme from the bits of the padded plaintext, is it? At least is it possible to tell PKCS1 from PSS reliably? The whole idea of padding is that the padded plaintext looks random, and IIRC PSS scrambles all bits of the plaintext, so that a PKCS1-like blob by accident is theorerically possible.

If it was possible, is there a flavor of the RSA signature verification logic out there that would deduce the padding scheme rather than taking it as a parameter?


Solution

  • From RFC7519:

    It is RECOMMENDED that implementations also support RSASSA-PKCS1-v1_5 with the SHA-256 hash algorithm ("RS256")...

    It does.