Synthesized PSS support

[williamcroberts]

The TPM is very broken wrt to RSA PSS signatures.The architecture doc states in B.7,

For both restricted and unrestricted signing keys, the random salt length will be the largest size allowed
by the key size and message digest size.

IIUC, this means that the saltlen = bytes(keysize) - bytes(hashlen), so given an RSA 2048 key with a sha256 hash, the length is 224 bytes.

TLS 1.3 requires that slen == hlen. This is also a comon paradigm in other software stacks, so we want to ensure that if SLEN does not equal bytes(keysize) - bytes(hlen), that we synthesize by applying the padding and using raw RSA encryption if present.

[williamcroberts]

So we need to update the checks, they all check that halg == mgf1 halg match:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/src/lib/mech.c#L261

Looks like we want to enable the padding via:
RSA_padding_add_PKCS1_PSS()

The problem is, we need a flag, to indicate to the framework to synthesize it for that transaction. Currently we know to synthesize it based on a flag or'd in with the algorithm in the table, but perhaps we need a per-transaction state, or since the CK_MECHANISM_PTR is heading into:

• mech_synthesize()
• mech_is_synthetic()

Probably just update those to check and return the right value.

[williamcroberts]

or maybe since TPM's support of PSS is "non-standard", just always synthesizethe signature. This will have a dependency on removing the tpm verify call, since this won't actually verify in the TPM AFAIK. I could be wrong.