Fix the RSA OID used for signing PKCS#7/SMIME

facutuesca · facutuesca · commit d8bc8909dadd · 2024-02-12T21:06:43.000+01:00
The current implementation computes the algorithm identifier used
in the `digest_encryption_algorithm` PKCS#7 field
(or `SignatureAlgorithmIdentifier` in S/MIME) based on both the
algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512).

This is correct for ECDSA signatures, where the OIDs used include the
digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical
reasons, when signing with RSA the OID specified should be the one
corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption),
rather than OIDs which also include the digest algorithm (such as
"1.2.840.113549.1.1.13", sha512WithRSAEncryption).

This means that the logic to compute the algorithm identifier is the
same except when signing with RSA, in which case the OID will always
be `rsaEncryption`. This is consistent with the OpenSSL implementation,
and the RFCs that define PKCS#7 and S/MIME.

See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details.
diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
@@ -196,7 +196,6 @@ fn sign_and_serialize<'p>(
             digest_algs.push(digest_alg.clone());
         }
         certs.push(cert.raw.borrow_dependent());
-
         signer_infos.push(pkcs7::SignerInfo {
             version: 1,
             issuer_and_serial_number: pkcs7::IssuerAndSerialNumber {
@@ -205,7 +204,7 @@ fn sign_and_serialize<'p>(
             },
             digest_algorithm: digest_alg,
             authenticated_attributes: authenticated_attrs,
-            digest_encryption_algorithm: x509::sign::compute_signature_algorithm(
+            digest_encryption_algorithm: compute_pkcs7_signature_algorithm(
                 py,
                 py_private_key,
                 py_hash_alg,
@@ -262,6 +261,42 @@ fn sign_and_serialize<'p>(
     }
 }
 
+fn compute_pkcs7_signature_algorithm<'p>(
+    py: pyo3::Python<'p>,
+    private_key: &'p pyo3::PyAny,
+    hash_algorithm: &'p pyo3::PyAny,
+    rsa_padding: &'p pyo3::PyAny,
+) -> pyo3::PyResult<common::AlgorithmIdentifier<'static>> {
+    let key_type = x509::sign::identify_key_type(py, private_key)?;
+
+    // If this is RSA-PSS we need to compute the signature algorithm from the
+    // parameters provided in rsa_padding.
+    if !rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)? {
+        return x509::sign::compute_rsa_pss_signature_algorithm(
+            py,
+            private_key,
+            hash_algorithm,
+            rsa_padding,
+        );
+    }
+    // It's not an RSA PSS signature, so we compute the signature algorithm from
+    // the key type. For ECDSA signatures, the OID is determined by the signature algorithm
+    // and the digest algorithm. For RSA signatures, the OID is always the same no matter the
+    // digest algorithm.
+    match key_type {
+        x509::sign::KeyType::Ec => {
+            x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)
+        }
+        x509::sign::KeyType::Rsa => Ok(common::AlgorithmIdentifier {
+            oid: asn1::DefinedByMarker::marker(),
+            params: common::AlgorithmParameters::Rsa(None),
+        }),
+        _ => Err(pyo3::exceptions::PyTypeError::new_err(
+            "Key type must be either EC or RSA.",
+        )),
+    }
+}
+
 fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [u8]>) {
     let mut new_data_with_header = vec![];
     let mut new_data_without_header = vec![];
diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs
@@ -48,7 +48,10 @@ enum HashType {
     Sha3_512,
 }
 
-fn identify_key_type(py: pyo3::Python<'_>, private_key: &pyo3::PyAny) -> pyo3::PyResult<KeyType> {
+pub(crate) fn identify_key_type(
+    py: pyo3::Python<'_>,
+    private_key: &pyo3::PyAny,
+) -> pyo3::PyResult<KeyType> {
     if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? {
         Ok(KeyType::Rsa)
     } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? {
@@ -123,6 +126,47 @@ fn compute_pss_salt_length<'p>(
     }
 }
 
+pub(crate) fn compute_rsa_pss_signature_algorithm<'p>(
+    py: pyo3::Python<'p>,
+    private_key: &'p pyo3::PyAny,
+    hash_algorithm: &'p pyo3::PyAny,
+    rsa_padding: &'p pyo3::PyAny,
+) -> pyo3::PyResult<common::AlgorithmIdentifier<'static>> {
+    assert!(!rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)?);
+    let hash_type = identify_hash_type(py, hash_algorithm)?;
+
+    // Compute the signature algorithm from the
+    // parameters provided in rsa_padding.
+    let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?;
+    let hash_algorithm_id = common::AlgorithmIdentifier {
+        oid: asn1::DefinedByMarker::marker(),
+        params: hash_alg_params,
+    };
+    let salt_length = compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding)?;
+    let py_mgf_alg = rsa_padding
+        .getattr(pyo3::intern!(py, "_mgf"))?
+        .getattr(pyo3::intern!(py, "_algorithm"))?;
+    let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?;
+    let mgf_alg = common::AlgorithmIdentifier {
+        oid: asn1::DefinedByMarker::marker(),
+        params: identify_alg_params_for_hash_type(mgf_hash_type)?,
+    };
+    let params = common::AlgorithmParameters::RsaPss(Some(Box::new(common::RsaPssParameters {
+        hash_algorithm: hash_algorithm_id,
+        mask_gen_algorithm: common::MaskGenAlgorithm {
+            oid: oid::MGF1_OID,
+            params: mgf_alg,
+        },
+        salt_length,
+        _trailer_field: 1,
+    })));
+
+    Ok(common::AlgorithmIdentifier {
+        oid: asn1::DefinedByMarker::marker(),
+        params,
+    })
+}
+
 pub(crate) fn compute_signature_algorithm<'p>(
     py: pyo3::Python<'p>,
     private_key: &'p pyo3::PyAny,
@@ -135,35 +179,7 @@ pub(crate) fn compute_signature_algorithm<'p>(
     // If this is RSA-PSS we need to compute the signature algorithm from the
     // parameters provided in rsa_padding.
     if !rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)? {
-        let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?;
-        let hash_algorithm_id = common::AlgorithmIdentifier {
-            oid: asn1::DefinedByMarker::marker(),
-            params: hash_alg_params,
-        };
-        let salt_length = compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding)?;
-        let py_mgf_alg = rsa_padding
-            .getattr(pyo3::intern!(py, "_mgf"))?
-            .getattr(pyo3::intern!(py, "_algorithm"))?;
-        let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?;
-        let mgf_alg = common::AlgorithmIdentifier {
-            oid: asn1::DefinedByMarker::marker(),
-            params: identify_alg_params_for_hash_type(mgf_hash_type)?,
-        };
-        let params =
-            common::AlgorithmParameters::RsaPss(Some(Box::new(common::RsaPssParameters {
-                hash_algorithm: hash_algorithm_id,
-                mask_gen_algorithm: common::MaskGenAlgorithm {
-                    oid: oid::MGF1_OID,
-                    params: mgf_alg,
-                },
-                salt_length,
-                _trailer_field: 1,
-            })));
-
-        return Ok(common::AlgorithmIdentifier {
-            oid: asn1::DefinedByMarker::marker(),
-            params,
-        });
+        return compute_rsa_pss_signature_algorithm(py, private_key, hash_algorithm, rsa_padding);
     }
     // It's not an RSA PSS signature, so we compute the signature algorithm from
     // the union of key type and hash type.
