Re: [sidr] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates

Russ Housley <housley@vigilsec.com> Thu, 23 May 2019 16:23 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8A212012E for <sidr@ietfa.amsl.com>; Thu, 23 May 2019 09:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SUBJ_BRKN_WORDNUMS=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnEGiQWz-9S7 for <sidr@ietfa.amsl.com>; Thu, 23 May 2019 09:23:06 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B73120126 for <sidr@ietf.org>; Thu, 23 May 2019 09:23:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7768B300AEC for <sidr@ietf.org>; Thu, 23 May 2019 12:03:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RqA3T6Z_5oBg for <sidr@ietf.org>; Thu, 23 May 2019 12:03:46 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 29F25300471; Thu, 23 May 2019 12:03:46 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAA0dE=VOCvxb_0-pEB8CO=JZ9FShVf=pQ43pCmAeYCf9LRTTcw@mail.gmail.com>
Date: Thu, 23 May 2019 12:23:03 -0400
Cc: IETF SIDR <sidr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ACD43E1A-5BBC-4710-A3D4-72EA7E1BC79F@vigilsec.com>
References: <CAA0dE=VOCvxb_0-pEB8CO=JZ9FShVf=pQ43pCmAeYCf9LRTTcw@mail.gmail.com>
To: Alberto Leiva <ydahhrk@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/MO85-zP9XBRZdw3BvEzlwurer70>
Subject: Re: [sidr] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 16:23:08 -0000


> On May 22, 2019, at 6:18 PM, Alberto Leiva <ydahhrk@gmail.com>; wrote:
> 
> Hello
> 
> Another question.
> 
> RFC 7935 states the following:
> 
> 3.1.  Public Key Format
> 
>   (...)
> 
>   algorithm (which is an AlgorithmIdentifier type):
>      The object identifier for RSA PKCS #1 v1.5 with SHA-256 MUST be
>      used in the algorithm field, as specified in Section 5 of
>      [RFC4055].  The value for the associated parameters from that
>      clause MUST also be used for the parameters field.
> 
> I've never seen a certificate that declares sha256WithRSAEncryption ({
> pkcs-1 11 }) as its public key algorithm. Every certificate I've come
> across labels its algorithm as rsaEncryption ({ pkcs-1 1 }).
> 
> (Certificates always define the signature algorithm as
> sha256WithRSAEncryption, but that's a different field.)
> 
> Is everyone doing it wrong, or am I missing something?
> 
> I'm aware that this is likely a triviality--rsaEncryption and
> sha256WithRSAEncryption probably mean the same in this context.
> There's also a thread in this list in which people seem to have
> experienced headaches over this topic. But the thread is talking about
> CMS signed objects (which I believe is different from certificates),
> and happened before 7935 was released, so it feels like the RFC should
> mandate something consistent with reality by now.
> 
> Thanks for any pointers.

You are right.

In the subjectPublicKeyInfo, the algorithm identifier should be rsaEncryption, which is { 1, 2, 840, 113549, 1, 1, 1 }.  This allow the public key to be used with PKCS#1 v1.5, RSASSA-PSS, and RSAES-OAEP.

In the signature, the algorithm identifier should be sha256WithRSAEncryption, which is { 1, 2, 840, 113549, 1, 1, 11 }.  This identifies PKCS#1 v1.5 with SHA-256 as the hash algorithm.

Russ