crypto: fix regression in RSA-PSS keygen

Fixes: nodejs#39936
Refs: nodejs#35093

src/crypto/crypto_rsa.h

@@ -25,10 +25,11 @@ struct RsaKeyPairParams final : public MemoryRetainer {
   unsigned int modulus_bits;
   unsigned int exponent;
 
-  // The following used for RSA-PSS
+  // The following options are used for RSA-PSS. If any of them are set, a
+  // RSASSA-PSS-params sequence will be added to the key.
   const EVP_MD* md = nullptr;
   const EVP_MD* mgf1_md = nullptr;
-  int saltlen = 0;
+  int saltlen = -1;
 
   SET_NO_MEMORY_INFO()
   SET_MEMORY_INFO_NAME(RsaKeyPairParams)

test/parallel/test-crypto-keygen.js

@@ -346,6 +346,29 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
   }));
 }
 
+{
+  // 'rsa-pss' should not add a RSASSA-PSS-params sequence by default.
+  // Regression test for: https://github.com/nodejs/node/issues/39936
+
+  generateKeyPair('rsa-pss', {
+    modulusLength: 512
+  }, common.mustSucceed((publicKey, privateKey) => {
+    const expectedKeyDetails = {
+      modulusLength: 512,
+      publicExponent: 65537n
+    };
+    assert.deepStrictEqual(publicKey.asymmetricKeyDetails, expectedKeyDetails);
+    assert.deepStrictEqual(privateKey.asymmetricKeyDetails, expectedKeyDetails);
+
+    // To allow backporting the fix to versions that do not support
+    // asymmetricKeyDetails for RSA-PSS params, also verify that the exported
+    // AlgorithmIdentifier member of the SubjectPublicKeyInfo has the expected
+    // length of 11 bytes (as opposed to > 11 bytes if node added params).
+    const spki = publicKey.export({ format: 'der', type: 'spki' });
+    assert.strictEqual(spki[3], 11, spki.toString('hex'));
+  }));
+}
+
 {
   const privateKeyEncoding = {
     type: 'pkcs8',