On 2015-05-21 03:15, Bilal Ashraf wrote:
On 5/20/2015 10:49 PM, Richard Hansen wrote:
* Suppose digestAlgorithm contains sha-1. Is there any functional
difference between choosing rsaEncryption vs. sha1WithRSAEncryption
for the signatureAlgorithm field?
[Bilal] : If you look at RFC 2315 (PKCS#7) , the ASN.1 structure of
signerInfo is :
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes
[0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm
DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes
[1] IMPLICIT Attributes OPTIONAL }
Here it is mentioned the "digestEncryptionAlgorithm" and it should be
e.g. "rsaEncryption" while the "digestAlgorithm" should be like "sha-1".
In RFC 3852 (CMS) which maintains backward compatibility with PKCS#7,
the ASN.1 structure of signerInfo is :
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
Here it is mentioned the "signatureAlgorithm" and it should be e.g.
"sha1withrsaEncryption" while the "digestAlgorithm" should be like
"sha-1".
I'd like to get some historical context: Do you know why the semantics
of digestEncryptionAlgorithm (rsaEncryption) was changed to
signatureAlgorithm (sha1WithRSAEncryption)?
Here "signatureAlgorithm" alone can be be used to pick the
digest algorithm
So an implementation conforming to RFC5652 is allowed to ignore
digestAlgorithm when validating a signature? I couldn't find anywhere
in RFC5652 or RFC3370 that suggests this. If so, this means that it is
not OK to put rsaEncryption in the signatureAlgorithm field, as that
doesn't specify which digest algorithm to use.
but IMHO, "digestAlgorithm" remains there for backward
compatibility with PKCS#7.
OK, backward compatibility makes sense.
"digestAlgorithm" must be compatible with the
"signatureAlgorithm" otherwise tool kits that processes this structure
will give an error.
Where does RFC5652 or RFC3370 state this requirement? I couldn't find
anything.
Are digestAlgorithm and signatureAlgorithm required to be compatible for
PKCS#7 compatibility? Is PKCS#7 compatibility required by RFC5652?
Thanks,
Richard
CMS tool kits must be able to process both types of structures and tool
kits that generates CMS should create as per new structure i.e. use
"signatureAlgorithm" instead of "digestEncryptionAlgorithm" and
"digestAlgorithm" remains as it is.
* What happens if I put sha-1 in digestAlgorithm but choose
md5WithRSAEncryption for signatureAlgorithm?
[Bilal] : See above.
* In general, what is the relationship between the digest algorithm
associated with the chosen signatureAlgorithm and the chosen
digestAlgorithm?
[Bilal] : See above.
Thanks,
Richard
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime