Score:1

PKCS#7 digest encryption algorithm - difference between rsaEncryption and sha256WithRsaEncryption

cn flag

As part of our linux secure boot implementation using dm-verity and root hash signature checking, I need to sign a file with the following openssl command (example):

openssl smime -sign -nocerts -noattr -binary -in unsigned.txt -inkey private.key -signer cert.pem -outform der -out signed.txt

This generates a PKCS#7 file which then can be processed successfully by the linux kernel.

But for production we don't use openssl but PrimeKey Signserver (which is based on bouncycastle) with CMS signer. Here I was not able to configure the CMS signer to generate a working PKCS#7 so far. The problem is a difference in digest_enc_algorithm as seen in the image below (Left: signserver, right: openssl).

enter image description here

The problem is, that the kernel wont support that OID. Simply adding the sha256WithRsaEncryption to the switch fixes the problem, but I am not sure if this is a valid solution. Kernel fix

Another "fix" I found was simply replacing the OID of the signed PKCS#7 file, which also raises a few questions for me?!

Now my questions:

  • Is there a real difference between rsaEncryption and sha256WithRsaEncryption in that context?
  • Why is it possible to alter the PKCS#7 file and everything works fine?
  • Would it be a valid fix to add the OID in the switch-case in the kernel? (at least from a crypto perspective)

Thank you for your support!

UPDATE: Found this issue on the backlog of PrimeKey signserver.

dave_thompson_085 avatar
cn flag
rsaEncryption is the only defined OID in PKCS7 (available as RFC2315, see 9.4) probably because it was written during the PKCS1v1 era when signature was misunderstod as 'backwards encryption' and (always) separable from the hash; CMS renamed digestEncryptionAlgorithm to signatureAlgorithm and then extended the value (2630 12.2.2 only rsaEncryption but 3370 3.2 also {sha1,md5}withRSA, with more added since). While PKCS7 and CMS are _mostly_ the same, this is one difference, and Bouncy is CMS not PKCS7.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.