Description
It looks like BC encodes RSA-PSS signatures in CMS incorrectly, see this post. Specifically, RFC 4055 defines the format as:
RSASSA-PSS-params ::= SEQUENCE {
hashAlgorithm [0] HashAlgorithm DEFAULT
sha1Identifier,
maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT
mgf1SHA1Identifier,
saltLength [2] INTEGER DEFAULT 20,
trailerField [3] INTEGER DEFAULT 1 }
However a BC-generated signature is encoded as:
1202 47: SEQUENCE {
1204 15: [0] {
1206 13: SEQUENCE {
1208 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
1219 0: NULL
: }
: }
1221 28: [1] {
1223 26: SEQUENCE {
1225 9: OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
1236 13: SEQUENCE {
1238 9: OBJECT IDENTIFIER
: sha-256 (2 16 840 1 101 3 4 2 1)
1249 0: NULL
: }
: }
: }
: }
Note the absent saltLength, which means it has the SHA-1 value even though the signature is generated with SHA-256. Presumably the saltLength is the correct 32, however the signature is claiming it's 20 which means the signature can't be verified.