openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon openssl

CMS signatureAlgorithm for RSA with SHA3

Open a20dev opened this issue 3 years ago • 1 comments

Both OpenSSL 3.0.7 and 1.1.1r use rsaEncryption (1.2.840.113549.1.1.1) for CMS with SHA3-256 for signatureAlgorithm of signerInfos. Other software such as BouncyCastle uses rsassa-pkcs1-v1-5-with-sha3-256 (2.16.840.1.101.3.4.3.14).

When reading https://datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sha3-hash-00.txt (is there a newer/final version?) together with the analog RFC 8702 (which is more precise), I come to the conclusion that rsaEncryption shouldn't be used for signatureAlgorithm of signerInfos

a20dev avatar Nov 23 '22 08:11 a20dev

Forgot to add demonstration code:

openssl req -new -x509 -newkey rsa:2048 -sha3-384 --nodes -keyout private.pem -out cert.pem -subj "/CN=test" -days 999
echo data > data
smime -sign -binary -md sha3-512 -in data -signer cert.pem -inkey private.pem -outform DER -out sig.p7
openssl asn1parse -item CMS_ContentInfo -inform DER-in sig.p7

The output includes this:

    signerInfos:
      [...]
       signatureAlgorithm: 
          algorithm: rsaEncryption (1.2.840.113549.1.1.1)
          parameter: NULL

a20dev avatar Nov 23 '22 08:11 a20dev

marking as inactive, will be closed at the completion of 3.4 dev without further input

nhorman avatar Jun 07 '24 20:06 nhorman

bump

a20dev avatar Jun 07 '24 20:06 a20dev

Can you move the question forward? In answer to your immediate question, yes, the link you provided above shows that there is a superseding draft: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-sha3-hash

Is your question should you use SHA3 or SHAKE instead of RSA to sign data? Thats up to you, RSA is still a perfectly valid signing mechanism.

nhorman avatar Jun 08 '24 00:06 nhorman