Re: [sidr] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates

Martin Hoffmann <martin@opennetlabs.com> Thu, 23 May 2019 09:23 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C08B1200F8 for <sidr@ietfa.amsl.com>; Thu, 23 May 2019 02:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.89
X-Spam-Level:
X-Spam-Status: No, score=-6.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_SUBJ_BRKN_WORDNUMS=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rKuHVm3Zs3bv for <sidr@ietfa.amsl.com>; Thu, 23 May 2019 02:23:13 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07EBD120019 for <sidr@ietf.org>; Thu, 23 May 2019 02:23:12 -0700 (PDT)
Received: from glaurung.nlnetlabs.nl (unknown [IPv6:2a04:b900:0:1:a2c5:89ff:feb5:e311]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 14E6A1DA6D; Thu, 23 May 2019 11:23:10 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Thu, 23 May 2019 11:23:09 +0200
From: Martin Hoffmann <martin@opennetlabs.com>
To: Alberto Leiva <ydahhrk@gmail.com>
Cc: sidr@ietf.org
Message-ID: <20190523112309.71b7ab70@glaurung.nlnetlabs.nl>
In-Reply-To: <CAA0dE=VOCvxb_0-pEB8CO=JZ9FShVf=pQ43pCmAeYCf9LRTTcw@mail.gmail.com>
References: <CAA0dE=VOCvxb_0-pEB8CO=JZ9FShVf=pQ43pCmAeYCf9LRTTcw@mail.gmail.com>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/81TfSH_c5F2w5sBLxWo52zJcJs4>
Subject: Re: [sidr] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 09:23:15 -0000

Alberto Leiva wrote:
> 
> RFC 7935 states the following:
> 
> 3.1.  Public Key Format
> 
>    (...)
> 
>    algorithm (which is an AlgorithmIdentifier type):
>       The object identifier for RSA PKCS #1 v1.5 with SHA-256 MUST be
>       used in the algorithm field, as specified in Section 5 of
>       [RFC4055].  The value for the associated parameters from that
>       clause MUST also be used for the parameters field.
> 
> I've never seen a certificate that declares sha256WithRSAEncryption ({
> pkcs-1 11 }) as its public key algorithm. Every certificate I've come
> across labels its algorithm as rsaEncryption ({ pkcs-1 1 }).

I’ve been struggling with this, too. My conclusion was that RFC 7935 is
misleading at best. Section 5 of RFC 4055 talks about signature
algorithms not public key algorithms. Section 1.2 of RFC 4055 states

|   The rsaEncryption object identifier continues to identify the subject
|   public key when the RSA private key owner does not wish to limit the
|   use of the public key exclusively to either RSASSA-PSS or RSAES-OAEP.
|   In this case, the rsaEncryption object identifier MUST be used in the
|   algorithm field within the subject public key information, and the
|   parameters field MUST contain NULL.

So, for RSA v1.5, the key algorithm must be rsaEncryption. Routinator
does indeed require that. It doesn’t insist on the presence of the NULL,
though, and allows absent parameters.

The certificates we are generating in Krill will all have rsaEncryption
as the algorithm and the NULL paramteres field.

Kind regards,
Martin