Does kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw perform padding?

The "documentation" is poorly worded.

Answered by DTS Engineer in 776916022

Consider this program:

// See <https://developer.apple.com/forums/thread/710961> for `secCall(…)`.

let privateKey = try secCall { SecKeyCreateRandomKey([
    kSecAttrKeyType: kSecAttrKeyTypeRSA,
    kSecAttrKeySizeInBits: 2048
] as NSDictionary, $0) }

let digest = Data(1...20)

let signature = try secCall { SecKeyCreateSignature(privateKey, .rsaSignatureDigestPKCS1v15SHA1, digest as NSData, $0) }
print((signature as NSData).debugDescription)

// SEQUENCE {
//   SEQUENCE {
//     OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
//     NULL
//     }
//   OCTET STRING 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14
//   }

let digestDER = Data([
    0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
    0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x01,
    0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
    0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
    0x12, 0x13, 0x14,
])
let signatureDER = try secCall { SecKeyCreateSignature(privateKey, .rsaSignatureDigestPKCS1v15Raw, digestDER as NSData, $0) }
print((signatureDER as NSData).debugDescription)

It prints the same value for signature and signatureDER [1].

As you can see, the .rsaSignatureDigestPKCS1v15Raw is expecting the digest to be embedded within a DER structure with an appropriate OID identifying the algorithm. This is the DigestInfo structure, as defined in section 10.1.2 of RFC 2313.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Taking advantage of the fact that old school RSA signatures are deterministic, which is terribly cryptographic practice but great for debugging (-:

To add more context, does it work like CKM_RSA_PKCS?

Accepted Answer

Consider this program:

// See <https://developer.apple.com/forums/thread/710961> for `secCall(…)`.

let privateKey = try secCall { SecKeyCreateRandomKey([
    kSecAttrKeyType: kSecAttrKeyTypeRSA,
    kSecAttrKeySizeInBits: 2048
] as NSDictionary, $0) }

let digest = Data(1...20)

let signature = try secCall { SecKeyCreateSignature(privateKey, .rsaSignatureDigestPKCS1v15SHA1, digest as NSData, $0) }
print((signature as NSData).debugDescription)

// SEQUENCE {
//   SEQUENCE {
//     OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
//     NULL
//     }
//   OCTET STRING 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14
//   }

let digestDER = Data([
    0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
    0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x01,
    0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
    0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
    0x12, 0x13, 0x14,
])
let signatureDER = try secCall { SecKeyCreateSignature(privateKey, .rsaSignatureDigestPKCS1v15Raw, digestDER as NSData, $0) }
print((signatureDER as NSData).debugDescription)

It prints the same value for signature and signatureDER [1].

As you can see, the .rsaSignatureDigestPKCS1v15Raw is expecting the digest to be embedded within a DER structure with an appropriate OID identifying the algorithm. This is the DigestInfo structure, as defined in section 10.1.2 of RFC 2313.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Taking advantage of the fact that old school RSA signatures are deterministic, which is terribly cryptographic practice but great for debugging (-:

Does kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw perform padding?
 
 
Q