From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 13 Oct 2017 13:02:02 +0000 (+0200)
Subject: auth-cfg: Store signature schemes as signature_params_t objects
X-Git-Tag: 5.6.1rc1~6^2~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54f8d092613d6cd2409073c5059cfbeb7f815c17;p=thirdparty%2Fstrongswan.git

auth-cfg: Store signature schemes as signature_params_t objects

Due to circular references the hasher_from_signature_scheme() helper
does not take a signature_params_t object.
---

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index befdfe3877..dbdde59ae5 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -114,7 +114,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 {
 	enumerator_t *enumerator;
 	signature_scheme_t scheme;
-	uintptr_t config;
+	signature_params_t *config;
 	auth_rule_t rule;
 	key_type_t key_type;
 	bool have_config = FALSE;
@@ -130,11 +130,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 			continue;
 		}
 		have_config = TRUE;
-		if (key_type == key_type_from_signature_scheme(config) &&
+		if (key_type == key_type_from_signature_scheme(config->scheme) &&
 			keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(config)))
+								hasher_from_signature_scheme(config->scheme,
+															 config->params)))
 		{
-			scheme = config;
+			scheme = config->scheme;
 			array_insert(selected, ARRAY_TAIL, &scheme);
 		}
 	}
@@ -149,7 +150,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 		while (enumerator->enumerate(enumerator, &scheme))
 		{
 			if (keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(scheme)))
+										hasher_from_signature_scheme(scheme,
+																	 NULL)))
 			{
 				array_insert(selected, ARRAY_TAIL, &scheme);
 			}
@@ -180,7 +182,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 					}
 				}
 				if (!found && keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(scheme)))
+										hasher_from_signature_scheme(scheme,
+																	 NULL)))
 				{
 					array_insert(selected, ARRAY_TAIL, &scheme);
 				}
@@ -383,7 +386,7 @@ METHOD(authenticator_t, process, status_t,
 	auth_cfg_t *auth, *current_auth;
 	enumerator_t *enumerator;
 	key_type_t key_type = KEY_ECDSA;
-	signature_scheme_t scheme;
+	signature_params_t params;
 	status_t status = NOT_FOUND;
 	const char *reason = "unsupported";
 	bool online;
@@ -399,19 +402,19 @@ METHOD(authenticator_t, process, status_t,
 	{
 		case AUTH_RSA:
 			key_type = KEY_RSA;
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			params.scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
 			break;
 		case AUTH_ECDSA_256:
-			scheme = SIGN_ECDSA_256;
+			params.scheme = SIGN_ECDSA_256;
 			break;
 		case AUTH_ECDSA_384:
-			scheme = SIGN_ECDSA_384;
+			params.scheme = SIGN_ECDSA_384;
 			break;
 		case AUTH_ECDSA_521:
-			scheme = SIGN_ECDSA_521;
+			params.scheme = SIGN_ECDSA_521;
 			break;
 		case AUTH_DS:
-			if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+			if (parse_signature_auth_data(&auth_data, &key_type, &params.scheme))
 			{
 				break;
 			}
@@ -423,7 +426,7 @@ METHOD(authenticator_t, process, status_t,
 			return INVALID_ARG;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
-	if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme))
+	if (!get_auth_octets_scheme(this, TRUE, id, &octets, &params.scheme))
 	{
 		return FAILED;
 	}
@@ -434,15 +437,16 @@ METHOD(authenticator_t, process, status_t,
 													key_type, id, auth, online);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
-		if (public->verify(public, scheme, NULL, octets, auth_data))
+		if (public->verify(public, params.scheme, NULL, octets, auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
 				 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
-				 auth_method == AUTH_DS ? scheme : auth_method);
+				 auth_method == AUTH_DS ? params.scheme : auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+					  signature_params_clone(&params));
 			if (!online)
 			{
 				auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index f974b9f58d..d75d217150 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -158,7 +158,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 	peer_cfg_t *peer;
 	auth_cfg_t *auth;
 	auth_rule_t rule;
-	uintptr_t config;
+	signature_params_t *config;
 	int written;
 	size_t len = BUF_LEN;
 	char buf[len];
@@ -177,7 +177,8 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 			{
 				if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
 				{
-					hash = hasher_from_signature_scheme(config);
+					hash = hasher_from_signature_scheme(config->scheme,
+														config->params);
 					if (hasher_algorithm_for_ikev2(hash))
 					{
 						algos->add(algos, hash);
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 07da596e4c..bb7ad87688 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
@@ -216,8 +216,6 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
-		case AUTH_RULE_SIGNATURE_SCHEME:
-		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -232,6 +230,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_RULE_CERT_POLICY:
+		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
@@ -267,8 +267,6 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
-		case AUTH_RULE_SIGNATURE_SCHEME:
-		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		{
 			return e1->value == e2->value;
@@ -301,6 +299,11 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 
 			return id1->equals(id1, id2);
 		}
+		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		{
+			return signature_params_equal(e1->value, e2->value);
+		}
 		case AUTH_RULE_CERT_POLICY:
 		case AUTH_RULE_XAUTH_BACKEND:
 		case AUTH_HELPER_IM_HASH_URL:
@@ -351,6 +354,12 @@ static void destroy_entry_value(entry_t *entry)
 			free(entry->value);
 			break;
 		}
+		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		{
+			signature_params_destroy(entry->value);
+			break;
+		}
 		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_AUTH_CLASS:
 		case AUTH_RULE_EAP_TYPE:
@@ -360,8 +369,6 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
-		case AUTH_RULE_SIGNATURE_SCHEME:
-		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		case AUTH_RULE_MAX:
 			break;
@@ -394,8 +401,6 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
-			case AUTH_RULE_SIGNATURE_SCHEME:
-			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -410,6 +415,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_IM_CERT:
 			case AUTH_RULE_SUBJECT_CERT:
 			case AUTH_RULE_CERT_POLICY:
+			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
@@ -472,9 +479,6 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 			return (void*)0;
-		case AUTH_RULE_SIGNATURE_SCHEME:
-		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
-			return (void*)HASH_UNKNOWN;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
 			return (void*)VALIDATION_FAILED;
@@ -491,6 +495,8 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_RULE_CERT_POLICY:
+		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
@@ -631,16 +637,19 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 			{
 				if (expected_type == KEY_ANY || expected_type == schemes[i].key)
 				{
+					signature_params_t *params;
+
+					INIT(params,
+						.scheme = schemes[i].scheme,
+					);
 					if (is_ike)
 					{
-						add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
-							(uintptr_t)schemes[i].scheme);
+						add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
 						ike_added = TRUE;
 					}
 					else
 					{
-						add(this, AUTH_RULE_SIGNATURE_SCHEME,
-						   (uintptr_t)schemes[i].scheme);
+						add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
 					}
 				}
 				found = TRUE;
@@ -666,7 +675,7 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 			if (type == AUTH_RULE_SIGNATURE_SCHEME)
 			{
 				add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
-					(uintptr_t)value);
+					signature_params_clone(value));
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -681,20 +690,20 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
 {
 	enumerator_t *e1, *e2;
 	auth_rule_t t1, t2;
-	signature_scheme_t scheme;
-	void *value;
+	signature_params_t *params, *constraint;
 	bool success = TRUE;
 
 	e2 = create_enumerator(this);
-	while (e2->enumerate(e2, &t2, &scheme))
+	while (e2->enumerate(e2, &t2, &params))
 	{
 		if (t2 == type)
 		{
 			success = FALSE;
 			e1 = constraints->create_enumerator(constraints);
-			while (e1->enumerate(e1, &t1, &value))
+			while (e1->enumerate(e1, &t1, &constraint))
 			{
-				if (t1 == type && (uintptr_t)value == scheme)
+				if (t1 == type &&
+					signature_params_comply(constraint, params))
 				{
 					success = TRUE;
 					break;
@@ -707,7 +716,7 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
 				{
 					DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
 						 AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
-						 signature_scheme_names, (int)scheme);
+						 signature_scheme_names, params->scheme);
 				}
 				break;
 			}
@@ -725,7 +734,7 @@ METHOD(auth_cfg_t, complies, bool,
 	bool ca_match = FALSE, cert_match = FALSE;
 	identification_t *require_group = NULL;
 	certificate_t *require_ca = NULL, *require_cert = NULL;
-	signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
+	signature_params_t *ike_scheme = NULL, *scheme = NULL;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
 	char *key_type;
@@ -928,12 +937,12 @@ METHOD(auth_cfg_t, complies, bool,
 			}
 			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			{
-				ike_scheme = (uintptr_t)value;
+				ike_scheme = value;
 				break;
 			}
 			case AUTH_RULE_SIGNATURE_SCHEME:
 			{
-				scheme = (uintptr_t)value;
+				scheme = value;
 				break;
 			}
 			case AUTH_RULE_CERT_POLICY:
@@ -983,12 +992,12 @@ METHOD(auth_cfg_t, complies, bool,
 
 	/* Check if we have a matching constraint (or none at all) for used
 	 * signature schemes. */
-	if (success && scheme != SIGN_UNKNOWN)
+	if (success && scheme)
 	{
 		success = complies_scheme(this, constraints,
 								  AUTH_RULE_SIGNATURE_SCHEME, log_error);
 	}
-	if (success && ike_scheme != SIGN_UNKNOWN)
+	if (success && ike_scheme)
 	{
 		success = complies_scheme(this, constraints,
 								  AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
@@ -1114,8 +1123,6 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_RSA_STRENGTH:
 				case AUTH_RULE_ECDSA_STRENGTH:
 				case AUTH_RULE_BLISS_STRENGTH:
-				case AUTH_RULE_SIGNATURE_SCHEME:
-				case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 				case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				{
 					add(this, type, (uintptr_t)value);
@@ -1132,6 +1139,12 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 					add(this, type, id->clone(id));
 					break;
 				}
+				case AUTH_RULE_SIGNATURE_SCHEME:
+				case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+				{
+					add(this, type, signature_params_clone(value));
+					break;
+				}
 				case AUTH_RULE_XAUTH_BACKEND:
 				case AUTH_RULE_CERT_POLICY:
 				case AUTH_HELPER_IM_HASH_URL:
@@ -1286,11 +1299,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
-			case AUTH_RULE_SIGNATURE_SCHEME:
-			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				clone->add(clone, type, (uintptr_t)value);
 				break;
+			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			{
+				clone->add(clone, type, signature_params_clone(value));
+				break;
+			}
 			case AUTH_RULE_MAX:
 				break;
 		}
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 7191dc1bc8..2eb4485469 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -106,9 +106,9 @@ enum auth_rule_t {
 	AUTH_RULE_ECDSA_STRENGTH,
 	/** required BLISS public key strength, u_int in bits */
 	AUTH_RULE_BLISS_STRENGTH,
-	/** required signature scheme, signature_scheme_t */
+	/** required signature scheme, signature_params_t* */
 	AUTH_RULE_SIGNATURE_SCHEME,
-	/** required signature scheme for IKE authentication, signature_scheme_t */
+	/** required signature scheme for IKE authentication, signature_params_t* */
 	AUTH_RULE_IKE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
 	AUTH_RULE_CERT_POLICY,
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index a4a092e368..21b23f5433 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -750,8 +750,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
 			}
-			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
-			signature_params_destroy(scheme);
+			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
 		}
 		else
 		{
@@ -769,8 +768,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
-				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
-				signature_params_destroy(scheme);
+				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
 			}
 			else
 			{
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index c04835b2c6..713d7beb38 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -19,6 +19,7 @@
 #include "hasher.h"
 
 #include <asn1/oid.h>
+#include <credentials/keys/signature_params.h>
 
 ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
 	"HASH_SHA1",
@@ -483,14 +484,21 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 /*
  * Defined in header.
  */
-hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme,
+											  void *params)
 {
 	switch (scheme)
 	{
 		case SIGN_UNKNOWN:
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 		case SIGN_ECDSA_WITH_NULL:
+			break;
 		case SIGN_RSA_EMSA_PSS:
+			if (params)
+			{
+				rsa_pss_params_t *pss = params;
+				return pss->hash;
+			}
 			break;
 		case SIGN_ED25519:
 		case SIGN_ED448:
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 96de7e2589..d1f11fa1cf 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -206,8 +206,10 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key);
  * Determine the hash algorithm associated with a given signature scheme.
  *
  * @param scheme		signature scheme
+ * @param params		optional parameters
  * @return				hash algorithm (could be HASH_UNKNOWN)
  */
-hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme);
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme,
+											  void *params);
 
 #endif /** HASHER_H_ @}*/
diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c
index 139b730218..3e30e0d0ad 100644
--- a/src/libstrongswan/tests/suites/test_auth_cfg.c
+++ b/src/libstrongswan/tests/suites/test_auth_cfg.c
@@ -45,7 +45,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
 {
 	enumerator_t *enumerator;
 	auth_rule_t t;
-	void *value;
+	signature_params_t *value;
 	int i = 0;
 
 	enumerator = cfg->create_enumerator(cfg);
@@ -54,7 +54,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
 		if (t == type)
 		{
 			ck_assert(expected[i]);
-			ck_assert_int_eq(expected[i], (signature_scheme_t)value);
+			ck_assert_int_eq(expected[i], value->scheme);
 			i++;
 		}
 	}
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index 9f77419698..7bf5273291 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -90,12 +90,10 @@ START_TEST(test_hasher_sig_to_oid)
 }
 END_TEST
 
-typedef struct {
+static struct {
 	signature_scheme_t scheme;
 	hash_algorithm_t alg;
-}hasher_sig_scheme_t;
-
-static hasher_sig_scheme_t sig_schemes[] = {
+} sig_schemes[] = {
 	{ SIGN_UNKNOWN,               HASH_UNKNOWN    },
 	{ SIGN_RSA_EMSA_PKCS1_NULL,   HASH_UNKNOWN    },
 	{ SIGN_RSA_EMSA_PKCS1_MD5,    HASH_MD5        },
@@ -108,6 +106,7 @@ static hasher_sig_scheme_t sig_schemes[] = {
 	{ SIGN_RSA_EMSA_PKCS1_SHA3_256, HASH_SHA3_256 },
 	{ SIGN_RSA_EMSA_PKCS1_SHA3_384, HASH_SHA3_384 },
 	{ SIGN_RSA_EMSA_PKCS1_SHA3_512, HASH_SHA3_512 },
+	{ SIGN_RSA_EMSA_PSS,		  HASH_UNKNOWN    },
 	{ SIGN_ECDSA_WITH_SHA1_DER,   HASH_SHA1       },
 	{ SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256     },
 	{ SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384     },
@@ -124,16 +123,35 @@ static hasher_sig_scheme_t sig_schemes[] = {
 	{ SIGN_BLISS_WITH_SHA3_512,   HASH_SHA3_512   },
 	{ SIGN_ED25519,               HASH_IDENTITY   },
 	{ SIGN_ED448,                 HASH_IDENTITY   },
-	{ 30,						  HASH_UNKNOWN    }
+	{ 30,						  HASH_UNKNOWN    },
 };
 
 START_TEST(test_hasher_from_sig_scheme)
 {
-	ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) ==
+	ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme, NULL) ==
 										   sig_schemes[_i].alg);
 }
 END_TEST
 
+static struct {
+	signature_scheme_t scheme;
+	union {
+		rsa_pss_params_t pss;
+	} p;
+	hash_algorithm_t alg;
+} sig_schemes_params[] = {
+	{ SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA256 }, HASH_SHA256 },
+	{ SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA512 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_256, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA256 },
+};
+
+START_TEST(test_hasher_from_sig_scheme_params)
+{
+	ck_assert(hasher_from_signature_scheme(sig_schemes_params[_i].scheme,
+					&sig_schemes_params[_i].p) == sig_schemes_params[_i].alg);
+}
+END_TEST
+
 typedef struct {
 	pseudo_random_function_t prf;
 	hash_algorithm_t alg;
@@ -269,6 +287,7 @@ Suite *hasher_suite_create()
 
 	tc = tcase_create("from_sig_scheme");
 	tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes));
+	tcase_add_loop_test(tc, test_hasher_from_sig_scheme_params, 0, countof(sig_schemes_params));
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("from_prf");
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 0fdab2aab1..44fe1f75d4 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -250,7 +250,7 @@ hash_algorithm_t get_default_digest(private_key_t *private)
 										   private->get_keysize(private));
 	if (enumerator->enumerate(enumerator, &scheme))
 	{
-		alg = hasher_from_signature_scheme(scheme);
+		alg = hasher_from_signature_scheme(scheme, NULL);
 	}
 	enumerator->destroy(enumerator);