4

I have a requirement wherein we have to verify the PE binaries generated for an aarch64 platform.

These binaries are then signed using the opensource sbsign tool to generate a signed PE binary with PKCS7 signedData structure included in the SECURITY section of the binary. These binaries have to be verified by the bootloader (in our case uboot) before they are loaded.

I stumbled across a patch which made use of the ARM-software/u-boot to verify the signedData section. As can be seen, the functions in this file such as rsa_verify() and rsa_verify_with_keynode() refer to verifying an RSA PKCS1.5 signature.

My question is, is this the same as verifying the PKCS7 signedData structure? It would be great if someone could help me understand.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Faisal
  • 143
  • 1
  • 3

1 Answers1

2

What is the difference between PKCS#1 v1.5 and PKCS#7?

PKCS#7 makes use of cryptographic primitives defined by PKCS#1 v1.5.

PKCS#7 is defined in RFC 2315. The modern PKCS#1 is v2.2 (also RFC 8017), and has a modern description of the schemes in PKCS#1 v1.5, including RSASSA-PKCS1-v1_5.

Is verifying a PKCS#1 v1.5 signature the same as verifying the PKCS#7 signedData structure?

Verifying a PKCS#7 signedData structure involves verifying a RSA PKCS#1 v1.5 signature, but also a number of important steps before that, including parsing that data structure, and checks which depend on context. signedData has features which might not be needed by in a bootloader, like certificates with revocation lists.

Community
  • 1
fgrieu
  • 149,326
  • 13
  • 324
  • 622