RFE: accept additional OIDs to signify RSA sigantures

RESOLVED FIXED in 3.9.1

Status

NSS
Libraries
P3
enhancement
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

As reportted in bug 214602 and others, some SMIME email programs create 
signed messages, where the "digestEncryptionAlgorithm" OID in the signerInfo
contains the OID
    2A 86 48 86 F7 0D 01 01 05
    Description = sha1withRSAEncryption (1 2 840 113549 1 1 5) (PKCS #1)
mozilla expects to receive this OID instead:
    2A 86 48 86 F7 0D 01 01 01
    Description = rsaEncryption (1 2 840 113549 1 1 1) (PKCS #1)

I believe that mozilla's behavior is correct here.  That is, given that 
a signature contains a SHA1 digest, encrypted with PKCS1 RSA, I believe
the correct value to use for "digestEncryptionAlgorithm" is the one that
mozilla expects.  

However, In the spirit of the old Internet maxim:
   "Be generous in what you accept but strict in what you send."
I think that we could change NSS to also accept this other OID without 
introducing any great security weakness.  I will attach a patch that
implements that tiny change.
(Assignee)

Comment 1

15 years ago
Created attachment 138917 [details] [diff] [review]
patch v1

With this patch, the signature on the test message appears valid.
(Assignee)

Comment 2

15 years ago
Accepting bug for NSS 3.9.1
Status: NEW → ASSIGNED
Priority: -- → P3
Target Milestone: --- → 3.9.1
(Assignee)

Comment 3

15 years ago
Comment on attachment 138917 [details] [diff] [review]
patch v1

Terry, do you think this is acceptable?  and, is it a good idea?
Attachment #138917 - Flags: review?(thayes0993)
(Assignee)

Updated

15 years ago
Blocks: 214602

Comment 4

15 years ago
RFC 3370 (the latest update to the CMS formats) allows implementations to 
support these additional OIDs.

   The rsaEncryption algorithm identifier is used to identify RSA (PKCS
   #1 v1.5) signature values regardless of the message digest algorithm
   employed.  CMS implementations that include the RSA (PKCS #1 v1.5)
   signature algorithm MUST support the rsaEncryption signature value
   algorithm identifier, and CMS implementations MAY support RSA (PKCS
   #1 v1.5) signature value algorithm identifiers that specify both the
   RSA (PKCS #1 v1.5) signature algorithm and the message digest
   algorithm.

   The algorithm identifier for RSA (PKCS #1 v1.5) with SHA-1 signature
   values is:

      sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
          member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }

   The algorithm identifier for RSA (PKCS #1 v1.5) with MD5 signature
   values is:

      md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
          member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 }

Comment 5

15 years ago
Comment on attachment 138917 [details] [diff] [review]
patch v1

You might also include the signature OID for RSA with MD5.  However, since most
new implementations use SHA-1, the gain in compatibility is probably very
small.
Attachment #138917 - Flags: review?(thayes0993) → review+
(Assignee)

Comment 6

15 years ago
/cvsroot/mozilla/security/nss/lib/smime/cmssiginfo.c,v  <--  cmssiginfo.c
new revision: 1.25; previous revision: 1.24

Thanks, Terry!
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.