+/**
+ * \brief Type for a RSA signature generation engine (PSS).
+ *
+ * Parameters are:
+ *
+ * - An initialized PRNG for salt generation. If the salt length is
+ * zero (`salt_len` parameter), then the PRNG is optional (this is
+ * not the typical case, as the security proof of RSA/PSS is
+ * tighter when a non-empty salt is used).
+ *
+ * - The hash function which was used to hash the message.
+ *
+ * - The hash function to use with MGF1 within the PSS padding. This
+ * is not necessarily the same function as the one used to hash the
+ * message.
+ *
+ * - The hashed message.
+ *
+ * - The salt length, in bytes.
+ *
+ * - The RSA private key.
+ *
+ * - The output buffer, that receives the signature.
+ *
+ * Returned value is 1 on success, 0 on error. Error conditions include
+ * a too small modulus for the provided hash and salt lengths, or some
+ * invalid key parameters. The signature length is exactly
+ * `(sk->n_bitlen+7)/8` bytes.
+ *
+ * This function is expected to be constant-time with regards to the
+ * private key bytes (lengths of the modulus and the individual factors
+ * may leak, though) and to the hashed data.
+ *
+ * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero).
+ * \param hf_data hash function used to hash the signed data.
+ * \param hf_mgf1 hash function to use with MGF1.
+ * \param hash hashed message.
+ * \param salt_len salt length (in bytes).
+ * \param sk RSA private key.
+ * \param x output buffer for the signature value.
+ * \return 1 on success, 0 on error.
+ */
+typedef uint32_t (*br_rsa_pss_sign)(const br_prng_class **rng,
+ const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
+ const unsigned char *hash_value, size_t salt_len,
+ const br_rsa_private_key *sk, unsigned char *x);
+