On Fri, 2010-09-24 at 09:40 +0200, Umberto Rustichelli aka Ubi wrote: > Andre Zepezauer wrote: > > On Thu, 2010-09-23 at 15:50 +0200, Andre Zepezauer wrote: > > > >> On Thu, 2010-09-23 at 14:19 +0200, Umberto Rustichelli aka Ubi wrote: > >> > >>> Dear all, I have been digging a bit into the OpenSC and OpenSSL code > >>> because I have a doubt. > >>> > >>> Using keys on smart cards via the OpenSC engine, I am almost sure that > >>> by producing a PKCS7 the signature is of type "sha1WithRSAEncryption" > >>> (at least without any special options), that implies using specific > >>> kinds of padding for the digest before the RSA encryption, for instance. > >>> > >>> The signature in the PKCS7, though, is marked as an object of type > >>> "rsaEncryption" (can tell with the asn1parse command). > >>> > >>> Is it correct to say that they are are the same, or, better, that > >>> > >>> 1) "rsaEncryption" includes the "sha1WithRSAEncryption" type > >>> > >>> 2) "sha1WithRSAEncryption" is what the PKCS7 API does by default? > >>> (I know, this is rather an OpenSSL-related question) > >>> > >> You can find the corresponding definitions in [1] section 11. My > >> conclusion is, that both algorithms apply a pkcs1 padding before > >> exponentiation. And "sha1WithRSAEncryption" hashes input data before > >> padding but "rsaEncryption" doesn't do that. > >> > >> > > > > >> "Signature algorithms are always used in conjunction with a one-way hash > >> function." [2] > >> > >> Therefore it is an error when the algorithm identifier carried with a > >> signature is "rsaEncryption". Right? > >> > > > > Ooops. Excerpt [2] only applies to X509 certificates and crls. What is > > required for pkcs7 signatures? > > > > > I am specifically talking of PKCS#7 signedData, not detached, so it is, > in brief: > ORIGINAL CONTENT + SIGNER'S CERTIFICATE + SIGNER INFO that includes the > signature. > Signature is the RSA encryption of the hash of the content or, if > authenticated attributes are present in signer info, of the hash of > authenticated attributes. > If they are present, they also contain the hash of the original content, > so indirectly you're also signing the hash of the original content. > This is the theory and also what OpenSSL does, at least according to my > inspection of the code. > You can use more than one hash type, so you are free to end with a > "rsaEncryption" object (OpenSSL), but I know that other vendors produce > sha1WithRSAEncryption and/or sha256WithRSAEncryption. I hope this > answers your question. > > Back to your reply, you're signing a hash, but for what I understand you > are telling me that such hash is re-hashed before padding... > I'm going back to the code and to the documents you've sent me to > understand things better, thank you very much.
No, there should be no re-hashing. Hashing is done only once. I don't know pkcs7 spec in detail, but if it allows signatures without hashing, then "rsaEncryption" should be fine. If "rsaEncryption" is used for signing it means, that the "ORIGINAL CONTENT" is padded and signed. No hashing is done. On the other hand, if the "ORIGINAL CONTENT" is sha1-hashed and padded and signed, then the signature must contain the algorithm identifier "sha1WithRSAEncryption". Your pkcs7 implementation is definitely misbehaving, when "ORIGINAL CONTENT" is greater then size of singing-key (1) and algorithm identifier on signature is "rsaEncryption". Because rsa can only sign data smaller than key-size. (1) both measured in bytes > >> [1] http://tools.ietf.org/html/rfc2313 > >> [2] http://tools.ietf.org/html/rfc3279#section-2.2 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
