ietf-smime
[Top] [All Lists]

Re: Signing a SignedData object with RSA

1998-07-08 07:36:50
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
- the signatureAlgorithm of the SignerInfo is to be a proper signature
algorithm, like sha1WithRSASignature

Correct.
Actually, no. At least not if we want to maintain compatibility
with PKCS-7. Remember that in PKCS-7, this field was known as
digestEncryptionAlgorithm. It's just rsaEncryption. 

If you reference note 2 of section 9.4, this becomes clear:

     2.   The input to the encryption process typically will
          have 30 or fewer octets. If
          digestEncryptionAlgorithm is PKCS #1's
          rsaEncryption, then this means that the input can
          be encrypted in a single block as long as the
          length of the RSA modulus is at least 328 bits,
          which is reasonable and consistent with security
          recommendations.

Also, see S 9.5
9.5 Compatibility with Privacy-Enhanced Mail

Compatibility with the MIC-ONLY and MIC-CLEAR process types
in PEM occurs when the content type of the ContentInfo value
being signed is data, there are no authenticated attributes,
the message-digest algorithm is md2 or md5, and the digest-
encryption algorithm is PKCS #1's rsaEncryption. Under all
those conditions, the encrypted message digest produced here
matches the one produced in PEM because:

     1.   The value input to the message-digest algorithm in
          PEM is the same as in this standard when there are
          no authenticated attributes. MD2 and MD5 in PEM
          are the same as md2 and md5.
          
     2.   The value encrypted with the signer's private key
          in PEM (as specified in RFC 1423) is the same as
          in this standard when there are no authenticated
          attributes. RSA private-key encryption in PEM is
          the same as PKCS #1's rsaEncryption.
          
The other parts of the signed-data content type
(certificates, CRLs, algorithm identifiers, etc.) are easily
translated to and from their corresponding PEM components.


This is also what my implementation does. Does anyone else
do it differently?

This 
Two comments:
1. This is the right thing to do. That's why the digestAlgorithm
field is present.
2. DSA must of course be DSA-with-SHA-1.

-Ekr

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
                "Put it in the top slot."

<Prev in Thread] Current Thread [Next in Thread>