add documentation

hashicorp · Aug 31, 2022 · 0ec0679 · 0ec0679
1 parent 34d5b4d
commit 0ec0679
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/builtin/logical/transit/path_sign_verify.go b/builtin/logical/transit/path_sign_verify.go
@@ -139,7 +139,7 @@ Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'`,
 				Type:    framework.TypeString,
 				Default: "auto",
 				Description: `The salt length used to sign. Currently only applies to the RSA PSS signature scheme.
-Options are 'auto' (crypto/rsa.PSSSaltLengthAuto), 'hash' (crypto/rsa.PSSSaltLengthEqualsHash), or a number of bytes. Defaults to 'auto'.`,
+Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.`,
 			},
 		},
 
@@ -232,7 +232,7 @@ Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'`,
 				Type:    framework.TypeString,
 				Default: "auto",
 				Description: `The salt length used to sign. Currently only applies to the RSA PSS signature scheme.
-Options are 'auto' (crypto/rsa.PSSSaltLengthAuto), 'hash' (crypto/rsa.PSSSaltLengthEqualsHash), or a number of bytes. Defaults to 'auto'.`,
+Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.`,
 			},
 		},
 

diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go
@@ -896,7 +896,7 @@ func Test_RSA_PSS(t *testing.T) {
 		}
 
 		// 3. For three possible valid salt lengths...
-		t.Log(tabs[3], "Test all valid salt lengths")
+		t.Log(tabs[3], "Test three possible valid salt lengths")
 		midSaltLength := mathrand.Intn(maxSaltLength-1) + 1 // [1, maxSaltLength)
 		validSaltLengths := []int{minSaltLength, midSaltLength, maxSaltLength}
 		for _, saltLength := range validSaltLengths {

diff --git a/website/content/api-docs/secret/transit.mdx b/website/content/api-docs/secret/transit.mdx
@@ -1157,6 +1157,12 @@ supports signing.
     also change the output encoding to URL-safe Base64 encoding instead of
     standard Base64-encoding.
 
+- `salt_length` `(string: "auto")` – The salt length used to sign. This currently only applies to the RSA PSS signature scheme. Options are:
+
+  - `auto`: The default used by Golang (causing the salt to be as large as possible when signing)
+  - `hash`: Causes the salt length to equal the length of the hash used in the signature
+  - An integer between the minimum and the maximum permissible salt lengths for the given RSA key size.
+
 ### Sample Request
 
 ```shell-session
@@ -1328,6 +1334,12 @@ data.
     also expect the input encoding to URL-safe Base64 encoding instead of
     standard Base64-encoding.
 
+- `salt_length` `(string: "auto")` – The salt length used to sign. This currently only applies to the RSA PSS signature scheme. Options are:
+
+  - `auto`: The default used by Golang (causing the salt to be as large as possible when signing)
+  - `hash`: Causes the salt length to equal the length of the hash used in the signature
+  - An integer between the minimum and the maximum permissible salt lengths for the given RSA key size.
+
 ### Sample Request
 
 ```shell-session