Neither of them seem right to me. Please review section 3 of RFC 3370.
Russ
At 12:53 PM 1/19/2007, Julien Stern wrote:
On Fri, Jan 19, 2007 at 12:08:29PM -0500, Russ Housley wrote:
> Julien:
>
> Does the examples document (RFC 4134) help answer your questions?
Russ,
unfortunately, they do not. As far as I have seen, they use either
'sha1' as the digestAlgorithm and 'dsaWithSha1' as the signature
algorithm or 'sha1' as the digestAlgorithm and 'rsaEncryption' as
the signature algorithm.
So either there is the "magic" OID rsaEncryption, which is not a
real signature OID, or the hash function defined in 'dsaWithSha1'
matches 'sha1'.
To present my question is a possibly more constructive way,
please find below two snippets of what could be clarifications
to CMS signatures from my humble point of view.
The list could then tell me which snippet is the "correct" one,
and decide whether it could be regarded as a worthwhile addition
to one of the WG document or not.
Regards,
--
Julien
Possible clarification 1:
-------------------------
The signatureAlgorithm field in SignerInfo should be interpreted
in a special way inside CMS. It may either contain a fully-fledged
signature algorithm, or the special OID rsaEncryption.
When it contains a fully-fledged algorithm, the digestAlgorithm
MUST be coherent with the digest used in the signatureAlgorithm
(e.g. if the signature algorithm is RSA with SHA-1, the digestAlgorithm
MUST be SHA-1, otherwise the verification fails).
When it contains the special OID rsaEncryption, the full signature
algorithm is defined by looking the digestAlgorithm and will
be an RSA PKCS1.5 signature with the hash function specified
in digestAlgorithm.
Possible clarification 2:
-------------------------
The signatureAlgorithm field in SignerInfo should be interpreted
in a special way inside CMS. It may either contain a fully-fledged
signature algorithm, or the special OID rsaEncryption and should be
interpreted differently depending on whether signedAttrs are present
or not.
When signedAttrs are present and a fully-fledged signatureAlgorithm
is present, the digestAlgorithm is only used to hash the content,
and the fully-fledged algorithm is used to sign the signedAttrs.
Therefore, it is possible to have MD5 as the digestAlgorithm
and RSA with SHA-1 as the signature algorithm.
When the signedAttrs are present and the special OID rsaEncryption
is present, the digestAlgorithm is used to hash the content,
and an RSA PKCS1.5 signature with the hash function specified in
digestAlgorithm is used to sign the signedAttrs.
When signedAttrs are not present and a fully-fledged signatureAlgorithm
is present, the digestAlgorithm MUST be coherent with the digest used
in the signatureAlgorithm (e.g. if the signature algorithm is RSA with
SHA-1, the digestAlgorithm MUST be SHA-1, otherwise the verification fails).
Finally, when signedAttrs are not present and the special OID rsaEncryption
is present, the full signature algorithm on the content is defined by
looking the digestAlgorithm and will be an RSA PKCS1.5 signature with the
hash function specified in digestAlgorithm.
> Russ
>
>
> >Folks,
> >
> >I have a few questions regarding the interpretation of the algorithm
> >identifiers used in CMS in the SignerInfo structure.
> >
> >SignerInfo ::= SEQUENCE {
> > version CMSVersion,
> > sid SignerIdentifier,
> > digestAlgorithm DigestAlgorithmIdentifier,
> > signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
> > signatureAlgorithm SignatureAlgorithmIdentifier,
> > signature SignatureValue,
> > unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
> >
> >
> >This structure includes both a digestAlgorithm and a signatureAlgorithm,
> >and there are two cases: either signedAttrs are present or not.
> >
> >Let us first look at case 1, signedAttrs are present.
> >In that case, we hash the content with the "digestAlgorithm",
> >and then compute the signature on the DER of signedAttrs with
> >"signatureAlgorithm".
> >
> >My first question is: is it authorized to have a _different_
> >hash function is the digestAlgorithm and the signatureAlgorithm ?
> >For instance, can I hash the content with MD5 and sign the signedAttrs
> >with "RSA-SHA1" ? How about PSS ? About about the general case ?
> >
> >Now, in case 2, we have both a hash function defined in "digestAlgorithm"
> >and a hash function (implicitely defined) in "signatureAlgorithm"
> >(except for the special "rsaEncryption" identifier).
> >
> >In that case, is it authorized to have a _different_ hash function
> >in digestAlgorithm and signatureAlgorithm ? And if so, how to interpret
> >it ? Assuming I have MD5 for the digest and RSA-SHA1
> >for the signature, should I interpret it as a RSA-MD5 signature ?
> >As a RSA-SHA1 signature ? Or should I consider the CMS as invalid ?
> >Is there a general rule ?
> >
> >Thank you very much for your clarifications.
> >
> >Regards,
> >
> >--
> >Julien Stern
>