Digital signatures in TLS 1.3 – Digital Signatures
9.4 Digital signatures in TLS 1.3
To agree upon the signature algorithms they want to use during their TLS session, Alice and Bob use two TLS 1.3 extensions. The algorithms for verifying digital signatures in certificates – a topic we will cover in detail in Chapter 10, Digital Certificates and Certification Authorities – are transmitted in the signature˙algorithms˙cert extension. The algorithms for digital signatures in CertificateVerify messages are transmitted in the signature˙algorithms extension.
Oftentimes, the set of digital signature algorithms that server Alice implements is different from the one that client Bob implements. The purpose of the signature˙algorithms˙cert extension is to allow Alice and Bob to communicate the algorithms they support and, as a result, determine which algorithms they can use for their TLS session.
If Alice and Bob omit the signature˙algorithms˙cert extension, then the signature algorithms specified in the signature˙algorithms extension are also used for calculating and verifying digital signatures in certificates.
When client Bob wants server Alice to authenticate herself using a certificate, Bob must send Alice the signature˙algorithms extension with his choice of signature algorithms. If, on the other hand, server Alice uses certificates to authenticate herself, and client Bob does not send the signature˙algorithms extension, then Alice immediately terminates the TLS handshake and sends the missing˙extension extension alert to client Bob.
The signature˙algorithms˙cert and signature˙algorithms extensions both have a field called extension˙data. This field carries a data structure called SignatureSchemeList, which contains a list of digital signature algorithms that client Bob can use. Listing 9.1 shows the SignatureSchemeList data structure.
Listing 9.1: Data structure holding the digital signature algorithms Bob can use.
struct {
SignatureScheme supported_signature_algorithms<2..2^16-2>;
} SignatureSchemeList;
Each entry in SignatureSchemeList is a value of an enumeration type SignatureScheme, shown in Listing 9.2. A SignatureScheme value refers to a specific digital signature algorithm that client Bob is willing to accept. The algorithms in SignatureSchemeList are listed in descending order of Bob’s preference.
Listing 9.2: Digital signature algorithms supported in TLS 1.3
enum {
/* RSASSA-PKCS1-v1_5 algorithms */
rsa_pkcs1_sha256(0x0401),
rsa_pkcs1_sha384(0x0501),
rsa_pkcs1_sha512(0x0601),
/* ECDSA algorithms */
ecdsa_secp256r1_sha256(0x0403),
ecdsa_secp384r1_sha384(0x0503),
ecdsa_secp521r1_sha512(0x0603),
/* RSASSA-PSS algorithms with public key OID rsaEncryption */
rsa_pss_rsae_sha256(0x0804),
rsa_pss_rsae_sha384(0x0805),
rsa_pss_rsae_sha512(0x0806),
/* EdDSA algorithms */
ed25519(0x0807),
ed448(0x0808),
/* Legacy algorithms */
rsa_pkcs1_sha1(0x0201),
— snip —
} SignatureScheme;
We’ll now turn to the RSA-based signature algorithms in TLS, before we look at the ECDSA-based algorithms.