[Top] [All Lists]

Re: [smime] CMS signed object algorithm selection question

2015-05-21 13:37:10
On 2015-05-21 03:15, Bilal Ashraf wrote:
On 5/20/2015 10:49 PM, Richard Hansen wrote:
  * Suppose digestAlgorithm contains sha-1. Is there any functional
    difference between choosing rsaEncryption vs. sha1WithRSAEncryption
    for the signatureAlgorithm field?

[Bilal] : If you look at RFC 2315 (PKCS#7) , the ASN.1 structure of
signerInfo is :

SignerInfo ::= SEQUENCE {
     version Version,
     issuerAndSerialNumber IssuerAndSerialNumber,
     digestAlgorithm DigestAlgorithmIdentifier,
       [0] IMPLICIT Attributes OPTIONAL,
     encryptedDigest EncryptedDigest,
       [1] IMPLICIT Attributes OPTIONAL }

Here it is mentioned the "digestEncryptionAlgorithm" and it should be
e.g. "rsaEncryption" while the "digestAlgorithm" should be like "sha-1".

In RFC 3852 (CMS) which maintains backward compatibility with PKCS#7,
the ASN.1 structure of signerInfo is :

SignerInfo ::= SEQUENCE {
        version CMSVersion,
        sid SignerIdentifier,
        digestAlgorithm DigestAlgorithmIdentifier,
        signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
        signatureAlgorithm SignatureAlgorithmIdentifier,
        signature SignatureValue,
        unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

Here it is mentioned the "signatureAlgorithm" and it should be e.g.
"sha1withrsaEncryption" while the "digestAlgorithm" should be like

I'd like to get some historical context:  Do you know why the semantics
of digestEncryptionAlgorithm (rsaEncryption) was changed to
signatureAlgorithm (sha1WithRSAEncryption)?

Here "signatureAlgorithm" alone can be be used to pick the
digest algorithm

So an implementation conforming to RFC5652 is allowed to ignore
digestAlgorithm when validating a signature?  I couldn't find anywhere
in RFC5652 or RFC3370 that suggests this.  If so, this means that it is
not OK to put rsaEncryption in the signatureAlgorithm field, as that
doesn't specify which digest algorithm to use.

but IMHO, "digestAlgorithm" remains there for backward
compatibility with PKCS#7.

OK, backward compatibility makes sense.

"digestAlgorithm" must be compatible with the
"signatureAlgorithm" otherwise tool kits that processes this structure
will give an error.

Where does RFC5652 or RFC3370 state this requirement?  I couldn't find

Are digestAlgorithm and signatureAlgorithm required to be compatible for
PKCS#7 compatibility?  Is PKCS#7 compatibility required by RFC5652?


CMS tool kits must be able to process both types of structures and tool
kits that generates CMS should create as per new structure i.e. use
"signatureAlgorithm" instead of "digestEncryptionAlgorithm" and
"digestAlgorithm" remains as it is.

  * What happens if I put sha-1 in digestAlgorithm but choose
    md5WithRSAEncryption for signatureAlgorithm?

[Bilal] : See above.

  * In general, what is the relationship between the digest algorithm
    associated with the chosen signatureAlgorithm and the chosen

[Bilal] : See above.


smime mailing list