Folks,
I have a few questions regarding the interpretation of the algorithm
identifiers used in CMS in the SignerInfo structure.
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
This structure includes both a digestAlgorithm and a signatureAlgorithm,
and there are two cases: either signedAttrs are present or not.
Let us first look at case 1, signedAttrs are present.
In that case, we hash the content with the "digestAlgorithm",
and then compute the signature on the DER of signedAttrs with
"signatureAlgorithm".
My first question is: is it authorized to have a _different_
hash function is the digestAlgorithm and the signatureAlgorithm ?
For instance, can I hash the content with MD5 and sign the signedAttrs
with "RSA-SHA1" ? How about PSS ? About about the general case ?
Now, in case 2, we have both a hash function defined in "digestAlgorithm"
and a hash function (implicitely defined) in "signatureAlgorithm"
(except for the special "rsaEncryption" identifier).
In that case, is it authorized to have a _different_ hash function
in digestAlgorithm and signatureAlgorithm ? And if so, how to interpret
it ? Assuming I have MD5 for the digest and RSA-SHA1
for the signature, should I interpret it as a RSA-MD5 signature ?
As a RSA-SHA1 signature ? Or should I consider the CMS as invalid ?
Is there a general rule ?
Thank you very much for your clarifications.
Regards,
--
Julien Stern