sha256WithRSAEncryption vs rsaEncryption

Maks · 09.02.2022 05:48:53

Добрый день коллеги,

Формируя подпись с помощью NCALayer и KalkanCrypt получаю практически одинаковую структуру пакета CMS, за исключением:

<OBJECT_IDENTIFIER Comment=“PKCS #1” Description=“sha256WithRSAEncryption”>1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
и
<OBJECT_IDENTIFIER Comment=“PKCS #1” Description=“rsaEncryption”>1.2.840.113549.1.1.1</OBJECT_IDENTIFIER>

Подскажите пожалуйста в чем разница rsaEncryption и sha256WithRSAEncryption? и как привести флаги KalkanCrypt чтобы получить sha256WithRSAEncryption
сейчас код следующий:

$flags = KC_SIGN_CMS +
KC_IN_BASE64 +
KC_OUT_BASE64 +
KC_DETACHED_DATA +
KC_WITH_TIMESTAMP;
$ret = $PHP_LIB->SignData(‘test’, $flags, $data, $outSign);
$err = $PHP_LIB->GetLastError($errStr);

NcaLayer CMS

<SEQUENCE>
 <OBJECT_IDENTIFIER Comment="PKCS #7" Description="signedData">1.2.840.113549.1.7.2</OBJECT_IDENTIFIER>
 <NODE Sign="a0">
  <SEQUENCE>
   <INTEGER>1</INTEGER>
   <SET>
    <SEQUENCE>
     <OBJECT_IDENTIFIER Comment="NIST Algorithm" Description="sha-256">2.16.840.1.101.3.4.2.1</OBJECT_IDENTIFIER>
     <NULL/>
    </SEQUENCE>
   </SET>
   <SEQUENCE>
    <OBJECT_IDENTIFIER Comment="PKCS #7" Description="data">1.2.840.113549.1.7.1</OBJECT_IDENTIFIER>
   </SEQUENCE>
   <NODE Sign="a0">
    <SEQUENCE>
     <SEQUENCE>
      <NODE Sign="a0">
       <INTEGER>2</INTEGER>
      </NODE>
      <INTEGER>0x3C84B3394B0FADE320F4E219F9F66B316DA87C98</INTEGER>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #1" Description="sha256WithRSAEncryption">1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
       <NULL/>
      </SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ (RSA)</UTF8_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <UTC_TIME>14.06.2021, 09:23:51</UTC_TIME>
       <UTC_TIME>14.06.2022, 09:23:51</UTC_TIME>
      </SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>XXXXXXXXX XXXXXXXXX</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="surname">2.5.4.4</OBJECT_IDENTIFIER>
         <UTF8_STRING>XXXXXXXXX</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="serialNumber">2.5.4.5</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>IIN123456789558</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="givenName">2.5.4.42</OBJECT_IDENTIFIER>
         <UTF8_STRING>КОНСТАНТИНОВИЧ</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="PKCS #9. Deprecated, use an altName extension instead" Description="emailAddress">1.2.840.113549.1.9.1</OBJECT_IDENTIFIER>
         <IA5_STRING>XXXXXXXXX@XXXXXXXXX.RU</IA5_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <SEQUENCE>
        <OBJECT_IDENTIFIER Comment="PKCS #1" Description="rsaEncryption">1.2.840.113549.1.1.1</OBJECT_IDENTIFIER>
        <NULL/>
       </SEQUENCE>
       <BIT_STRING>
        <SEQUENCE>
         <INTEGER>0x008B38B057F67120D9A4BD3044C985C35198966F94E4F28F0E6292EF71AC18AB02390970EE47BB7A649748FB271362B92486001B6102E6479C8D7203D158D97EE48E41EF1C791CDD2988C5C978167F13CDD8A55F2DE9725E77D065F31A979301A61182AE851B78952B0BE5E1AA25EA5FC813DEB995A38EF4BD3FEFF6F8CBE30FD57461293ADC596031D462AD76D10AD470582BDCC7C658F715D8AAA2F5EFD96E6EB0BEAD64C98145B4E551104766EE89D12A322427DABA56073B96AF460FA9A667B2DD03E2A13319296428ABF3AA89F388636D96276A85EC14CF4CDB2B0F30A6C9BAC188BEF0224698C949C9862EE9301DE622C1E3B044F401702E75A553A84E9B</INTEGER>
         <INTEGER>65537</INTEGER>
        </SEQUENCE>
       </BIT_STRING>
      </SEQUENCE>
      <NODE Sign="a3">
       <SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="keyUsage">2.5.29.15</OBJECT_IDENTIFIER>
         <BOOLEAN>true</BOOLEAN>
         <OCTET_STRING>
          <BIT_STRING>0x06C0</BIT_STRING>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="extKeyUsage">2.5.29.37</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <OBJECT_IDENTIFIER Comment="PKIX key purpose" Description="emailProtection">1.3.6.1.5.5.7.3.4</OBJECT_IDENTIFIER>
           <OBJECT_IDENTIFIER>1.2.398.3.3.4.1.1</OBJECT_IDENTIFIER>
           <OBJECT_IDENTIFIER>1.2.398.3.3.4.3.2.1</OBJECT_IDENTIFIER>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="authorityKeyIdentifier">2.5.29.35</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <NODE Sign="80">[jt</NODE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="subjectKeyIdentifier">2.5.29.14</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <OCTET_STRING>0x343F16C672B5505E2ED0166BA16A803AC65EACB7</OCTET_STRING>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="certificatePolicies">2.5.29.32</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER>1.2.398.3.3.2.3</OBJECT_IDENTIFIER>
            <SEQUENCE>
             <SEQUENCE>
              <OBJECT_IDENTIFIER Comment="PKIX policy qualifier" Description="cps">1.3.6.1.5.5.7.2.1</OBJECT_IDENTIFIER>
              <IA5_STRING>http://pki.gov.kz/cps</IA5_STRING>
             </SEQUENCE>
             <SEQUENCE>
              <OBJECT_IDENTIFIER Comment="PKIX policy qualifier" Description="unotice">1.3.6.1.5.5.7.2.2</OBJECT_IDENTIFIER>
              <SEQUENCE>
               <UTF8_STRING>http://pki.gov.kz/cps</UTF8_STRING>
              </SEQUENCE>
             </SEQUENCE>
            </SEQUENCE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="cRLDistributionPoints">2.5.29.31</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <NODE Sign="a0">
             <NODE Sign="a0">
              <NODE Sign="86">http://crl.pki.gov.kz/nca_rsa.crl</NODE>
              <NODE Sign="86">http://crl1.pki.gov.kz/nca_rsa.crl</NODE>
             </NODE>
            </NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="freshestCRL">2.5.29.46</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <NODE Sign="a0">
             <NODE Sign="a0">
              <NODE Sign="86">http://crl.pki.gov.kz/nca_d_rsa.crl</NODE>
              <NODE Sign="86">http://crl1.pki.gov.kz/nca_d_rsa.crl</NODE>
             </NODE>
            </NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="PKIX private extension" Description="authorityInfoAccess">1.3.6.1.5.5.7.1.1</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER Comment="PKIX subject/authority info access descriptor" Description="caIssuers">1.3.6.1.5.5.7.48.2</OBJECT_IDENTIFIER>
            <NODE Sign="86">http://pki.gov.kz/cert/nca_rsa.cer</NODE>
           </SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER Comment="PKIX" Description="OCSP">1.3.6.1.5.5.7.48.1</OBJECT_IDENTIFIER>
            <NODE Sign="86">http://ocsp.pki.gov.kz</NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
       </SEQUENCE>
      </NODE>
     </SEQUENCE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="PKCS #1" Description="sha256WithRSAEncryption">1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
      <NULL/>
     </SEQUENCE>
     <BIT_STRING>0x007069FA79D21B66998770E451300E2ABAEE7190BCF844E1331E5C60E58F8FB6AB77B2FF25D3FF07C784F8D3FD75FF683B94655CA7B5D292F4BC97C905EFEC6F13467C72D6022D4C6A0827AF7176C27756B5C5C979E116542A4261B1BBC243863050136E244E40EA041757B1F833D6E7BD198F893BFE210415290CD0BC5C596CA8A2EAA35D523BA9297760061F2D22397275BA2227062A014EB20FB16123347AF8D3B32D5FE26A4065FF394FD956355F09D859275CF869C2569D172CB8ECFFF73F65BFB693DCEEF896FD6DA785ADFE4CECDDD36238A482B1355421D17C40FF7292276C223CD2FC01C0EF6E2C64E3A0111A1163126D8AB130F7A47C5BC78E799B9386174700C79426370F34584B805B204736663AF009412E349CD21132C84F30A564249F62F4D91537BAA7F9BF2BC3321E02B43CD05DC590E7E0CC2FD20978A262F619F22D83B39CFC4CCB1D6FBECF0FCD14F5DFBA1847DF2AA48D15DBD78B8E09D4F5ED1D0E37758A70FF945203B185B15E2AD1CB3DD3DAEC49A6BBB43B2DEB84ECEF0D8BCCEA918477E1E5B8BBBECF3C0FDCDDEFC025E83BE25968AEEE136AB5F27E8CEB5A4193FA243B19DB8FFC85929A491A2A2D0485205302ECD2F12FA93226E78E6D7889399D757F6E444A5A6A1CEBDB40537FBC327AAD57529A6DB46F347E704A1DB83847ED6583D7249C96416242C357B706B33A6462D4EC1BFF00FC62</BIT_STRING>
    </SEQUENCE>
   </NODE>
   <SET>
    <SEQUENCE>
     <INTEGER>1</INTEGER>
     <SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ (RSA)</UTF8_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <INTEGER>0x3C84B3394B0FADE320F4E219F9F66B316DA87C98</INTEGER>
     </SEQUENCE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="NIST Algorithm" Description="sha-256">2.16.840.1.101.3.4.2.1</OBJECT_IDENTIFIER>
      <NULL/>
     </SEQUENCE>
     <NODE Sign="a0">
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="contentType">1.2.840.113549.1.9.3</OBJECT_IDENTIFIER>
       <SET>
        <OBJECT_IDENTIFIER Comment="PKCS #7" Description="data">1.2.840.113549.1.7.1</OBJECT_IDENTIFIER>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="signingTime">1.2.840.113549.1.9.5</OBJECT_IDENTIFIER>
       <SET>
        <UTC_TIME>08.02.2022, 22:03:16</UTC_TIME>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="messageDigest">1.2.840.113549.1.9.4</OBJECT_IDENTIFIER>
       <SET>
        <OCTET_STRING>0x12DE2A9063524EE8C45EE82C77BCC7C43A2E0F0D3B4435B7559313AA29034FEC</OCTET_STRING>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="S/MIME Authenticated Attributes" Description="signingCertificateV2">1.2.840.113549.1.9.16.2.47</OBJECT_IDENTIFIER>
       <SET>
        <SEQUENCE>
         <SEQUENCE>
          <SEQUENCE>
           <OCTET_STRING>0x4A8C4D829F0790B412A06DC62ED51FA4C135518C8348813322428D5CF403D658</OCTET_STRING>
          </SEQUENCE>
         </SEQUENCE>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
     </NODE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="PKCS #1" Description="sha256WithRSAEncryption">1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
      <NULL/>
     </SEQUENCE>
     <OCTET_STRING>0x60540693FE2042EEB04958E28421B22D7DFA3A4B01C299F58F51D732FEA6F2567093CD908ACF56F887FC12F610AEA223A1543B751437645ADF7B46C3FCC120B735A6247E1D9CE4FBA79B09EE5BE85EB4D834A0C579DB0EDAF29728C841846AD331EB809E83D10393ADDAF24AEC4C8370A45FC18A8AE7BCBE36CE1C3799E99EBD4EDA154BE616F4B908B31C6BF041B61294B961B17F3F8B583D0E0C1EDCF15A505BCB413E273F6802436C0E9537D9C08BA5767BE1D59EB486BD4BE19AE01DC2F24AFDEE66E9635765B4518E1DE8C824E432221FEF3DBF21D64CCB64C9FCACA715E7A66F513E551C0A3D89A0046DF520C20CBD08103B7EB0F58348425F156B8C7C</OCTET_STRING>
    </SEQUENCE>
   </SET>
  </SEQUENCE>
 </NODE>
</SEQUENCE>

KalkanCrypt CMS

 <SEQUENCE>
 <OBJECT_IDENTIFIER Comment="PKCS #7" Description="signedData">1.2.840.113549.1.7.2</OBJECT_IDENTIFIER>
 <NODE Sign="a0">
  <SEQUENCE>
   <INTEGER>1</INTEGER>
   <SET>
    <SEQUENCE>
     <OBJECT_IDENTIFIER Comment="NIST Algorithm" Description="sha-256">2.16.840.1.101.3.4.2.1</OBJECT_IDENTIFIER>
    </SEQUENCE>
   </SET>
   <SEQUENCE>
    <OBJECT_IDENTIFIER Comment="PKCS #7" Description="data">1.2.840.113549.1.7.1</OBJECT_IDENTIFIER>
   </SEQUENCE>
   <NODE Sign="a0">
    <SEQUENCE>
     <SEQUENCE>
      <NODE Sign="a0">
       <INTEGER>2</INTEGER>
      </NODE>
      <INTEGER>0x3C84B3394B0FADE320F4E219F9F66B316DA87C98</INTEGER>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #1" Description="sha256WithRSAEncryption">1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
       <NULL/>
      </SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ (RSA)</UTF8_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <UTC_TIME>14.06.2021, 09:23:51</UTC_TIME>
       <UTC_TIME>14.06.2022, 09:23:51</UTC_TIME>
      </SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>XXXXXXXXX XXXXXXXXX</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="surname">2.5.4.4</OBJECT_IDENTIFIER>
         <UTF8_STRING>XXXXXXXXX</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="serialNumber">2.5.4.5</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>IIN123565464</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="givenName">2.5.4.42</OBJECT_IDENTIFIER>
         <UTF8_STRING>XXXXXXXXX</UTF8_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="PKCS #9. Deprecated, use an altName extension instead" Description="emailAddress">1.2.840.113549.1.9.1</OBJECT_IDENTIFIER>
         <IA5_STRING>XXXXXXXXX@XXXXXXXXX.RU</IA5_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <SEQUENCE>
        <OBJECT_IDENTIFIER Comment="PKCS #1" Description="rsaEncryption">1.2.840.113549.1.1.1</OBJECT_IDENTIFIER>
        <NULL/>
       </SEQUENCE>
       <BIT_STRING>
        <SEQUENCE>
         <INTEGER>0x008B38B057F67120D9A4BD3044C985C35198966F94E4F28F0E6292EF71AC18AB02390970EE47BB7A649748FB271362B92486001B6102E6479C8D7203D158D97EE48E41EF1C791CDD2988C5C978167F13CDD8A55F2DE9725E77D065F31A979301A61182AE851B78952B0BE5E1AA25EA5FC813DEB995A38EF4BD3FEFF6F8CBE30FD57461293ADC596031D462AD76D10AD470582BDCC7C658F715D8AAA2F5EFD96E6EB0BEAD64C98145B4E551104766EE89D12A322427DABA56073B96AF460FA9A667B2DD03E2A13319296428ABF3AA89F388636D96276A85EC14CF4CDB2B0F30A6C9BAC188BEF0224698C949C9862EE9301DE622C1E3B044F401702E75A553A84E9B</INTEGER>
         <INTEGER>65537</INTEGER>
        </SEQUENCE>
       </BIT_STRING>
      </SEQUENCE>
      <NODE Sign="a3">
       <SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="keyUsage">2.5.29.15</OBJECT_IDENTIFIER>
         <BOOLEAN>true</BOOLEAN>
         <OCTET_STRING>
          <BIT_STRING>0x06C0</BIT_STRING>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="extKeyUsage">2.5.29.37</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <OBJECT_IDENTIFIER Comment="PKIX key purpose" Description="emailProtection">1.3.6.1.5.5.7.3.4</OBJECT_IDENTIFIER>
           <OBJECT_IDENTIFIER>1.2.398.3.3.4.1.1</OBJECT_IDENTIFIER>
           <OBJECT_IDENTIFIER>1.2.398.3.3.4.3.2.1</OBJECT_IDENTIFIER>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="authorityKeyIdentifier">2.5.29.35</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <NODE Sign="80">[jt</NODE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="subjectKeyIdentifier">2.5.29.14</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <OCTET_STRING>0x343F16C672B5505E2ED0166BA16A803AC65EACB7</OCTET_STRING>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="certificatePolicies">2.5.29.32</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER>1.2.398.3.3.2.3</OBJECT_IDENTIFIER>
            <SEQUENCE>
             <SEQUENCE>
              <OBJECT_IDENTIFIER Comment="PKIX policy qualifier" Description="cps">1.3.6.1.5.5.7.2.1</OBJECT_IDENTIFIER>
              <IA5_STRING>http://pki.gov.kz/cps</IA5_STRING>
             </SEQUENCE>
             <SEQUENCE>
              <OBJECT_IDENTIFIER Comment="PKIX policy qualifier" Description="unotice">1.3.6.1.5.5.7.2.2</OBJECT_IDENTIFIER>
              <SEQUENCE>
               <UTF8_STRING>http://pki.gov.kz/cps</UTF8_STRING>
              </SEQUENCE>
             </SEQUENCE>
            </SEQUENCE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="cRLDistributionPoints">2.5.29.31</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <NODE Sign="a0">
             <NODE Sign="a0">
              <NODE Sign="86">http://crl.pki.gov.kz/nca_rsa.crl</NODE>
              <NODE Sign="86">http://crl1.pki.gov.kz/nca_rsa.crl</NODE>
             </NODE>
            </NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.509 extension" Description="freshestCRL">2.5.29.46</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <NODE Sign="a0">
             <NODE Sign="a0">
              <NODE Sign="86">http://crl.pki.gov.kz/nca_d_rsa.crl</NODE>
              <NODE Sign="86">http://crl1.pki.gov.kz/nca_d_rsa.crl</NODE>
             </NODE>
            </NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="PKIX private extension" Description="authorityInfoAccess">1.3.6.1.5.5.7.1.1</OBJECT_IDENTIFIER>
         <OCTET_STRING>
          <SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER Comment="PKIX subject/authority info access descriptor" Description="caIssuers">1.3.6.1.5.5.7.48.2</OBJECT_IDENTIFIER>
            <NODE Sign="86">http://pki.gov.kz/cert/nca_rsa.cer</NODE>
           </SEQUENCE>
           <SEQUENCE>
            <OBJECT_IDENTIFIER Comment="PKIX" Description="OCSP">1.3.6.1.5.5.7.48.1</OBJECT_IDENTIFIER>
            <NODE Sign="86">http://ocsp.pki.gov.kz</NODE>
           </SEQUENCE>
          </SEQUENCE>
         </OCTET_STRING>
        </SEQUENCE>
       </SEQUENCE>
      </NODE>
     </SEQUENCE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="PKCS #1" Description="sha256WithRSAEncryption">1.2.840.113549.1.1.11</OBJECT_IDENTIFIER>
      <NULL/>
     </SEQUENCE>
     <BIT_STRING>0x007069FA79D21B66998770E451300E2ABAEE7190BCF844E1331E5C60E58F8FB6AB77B2FF25D3FF07C784F8D3FD75FF683B94655CA7B5D292F4BC97C905EFEC6F13467C72D6022D4C6A0827AF7176C27756B5C5C979E116542A4261B1BBC243863050136E244E40EA041757B1F833D6E7BD198F893BFE210415290CD0BC5C596CA8A2EAA35D523BA9297760061F2D22397275BA2227062A014EB20FB16123347AF8D3B32D5FE26A4065FF394FD956355F09D859275CF869C2569D172CB8ECFFF73F65BFB693DCEEF896FD6DA785ADFE4CECDDD36238A482B1355421D17C40FF7292276C223CD2FC01C0EF6E2C64E3A0111A1163126D8AB130F7A47C5BC78E799B9386174700C79426370F34584B805B204736663AF009412E349CD21132C84F30A564249F62F4D91537BAA7F9BF2BC3321E02B43CD05DC590E7E0CC2FD20978A262F619F22D83B39CFC4CCB1D6FBECF0FCD14F5DFBA1847DF2AA48D15DBD78B8E09D4F5ED1D0E37758A70FF945203B185B15E2AD1CB3DD3DAEC49A6BBB43B2DEB84ECEF0D8BCCEA918477E1E5B8BBBECF3C0FDCDDEFC025E83BE25968AEEE136AB5F27E8CEB5A4193FA243B19DB8FFC85929A491A2A2D0485205302ECD2F12FA93226E78E6D7889399D757F6E444A5A6A1CEBDB40537FBC327AAD57529A6DB46F347E704A1DB83847ED6583D7249C96416242C357B706B33A6462D4EC1BFF00FC62</BIT_STRING>
    </SEQUENCE>
   </NODE>
   <SET>
    <SEQUENCE>
     <INTEGER>1</INTEGER>
     <SEQUENCE>
      <SEQUENCE>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="countryName">2.5.4.6</OBJECT_IDENTIFIER>
         <PRINTABLE_STRING>KZ</PRINTABLE_STRING>
        </SEQUENCE>
       </SET>
       <SET>
        <SEQUENCE>
         <OBJECT_IDENTIFIER Comment="X.520 DN component" Description="commonName">2.5.4.3</OBJECT_IDENTIFIER>
         <UTF8_STRING>ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ (RSA)</UTF8_STRING>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
      <INTEGER>0x3C84B3394B0FADE320F4E219F9F66B316DA87C98</INTEGER>
     </SEQUENCE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="NIST Algorithm" Description="sha-256">2.16.840.1.101.3.4.2.1</OBJECT_IDENTIFIER>
     </SEQUENCE>
     <NODE Sign="a0">
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="contentType">1.2.840.113549.1.9.3</OBJECT_IDENTIFIER>
       <SET>
        <OBJECT_IDENTIFIER Comment="PKCS #7" Description="data">1.2.840.113549.1.7.1</OBJECT_IDENTIFIER>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="signingTime">1.2.840.113549.1.9.5</OBJECT_IDENTIFIER>
       <SET>
        <UTC_TIME>08.02.2022, 23:42:10</UTC_TIME>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="PKCS #9" Description="messageDigest">1.2.840.113549.1.9.4</OBJECT_IDENTIFIER>
       <SET>
        <OCTET_STRING>0x25FB4F88FFCBBF99B0490F07780FE9EACB4049BBBA8F313068262FB337698A56</OCTET_STRING>
       </SET>
      </SEQUENCE>
      <SEQUENCE>
       <OBJECT_IDENTIFIER Comment="S/MIME Authenticated Attributes" Description="signingCertificateV2">1.2.840.113549.1.9.16.2.47</OBJECT_IDENTIFIER>
       <SET>
        <SEQUENCE>
         <SEQUENCE>
          <SEQUENCE>
           <OCTET_STRING>0x4A8C4D829F0790B412A06DC62ED51FA4C135518C8348813322428D5CF403D658</OCTET_STRING>
          </SEQUENCE>
         </SEQUENCE>
        </SEQUENCE>
       </SET>
      </SEQUENCE>
     </NODE>
     <SEQUENCE>
      <OBJECT_IDENTIFIER Comment="PKCS #1" Description="rsaEncryption">1.2.840.113549.1.1.1</OBJECT_IDENTIFIER>
      <NULL/>
     </SEQUENCE>
     <OCTET_STRING>0x2FF15E69F0463F286C1B8FE8FB8EBF04420002ACEDDA629099FB7F8D10B361907BDE6B8F62BD3D69591ECFD6644C7095869977DDDA827EECD5349D9778D53E27236A30D30BD7A4FA3C9005EA1C25F697F830F943C29D6780EDEF00D0DFFE803ECA5963DE2788A12110ADCBE1DD967815A7B324AF8C3A61F0AED3B564916E0807FC445B8898498BA4B0923964D47EDF03BA831C3BA6A454D4F1CF344E38887DA07ABFE0643180C5D4F8597A118EC4E4E8EDB47FD54667C2FAF42ED0E1E700BFF383A2D1A4C79ED12E953E1B6013ABC7B594778CF0A5822AEDA166718099AE01AEB61F00F03E24C548C3EFE6656F4F6DE4F220AB5217BD9B01ADD034017FD54B2F</OCTET_STRING>
    </SEQUENCE>
   </SET>
  </SEQUENCE>
 </NODE>
</SEQUENCE>

vsenko · 09.02.2022 08:19:48

Судя по RFC 8017 OID rsaEncryption используется для идентификации ключей RSA:

The object identifier rsaEncryption identifies RSA public and private
keys as defined in Appendices A.1.1 and A.1.2. The parameters field
has associated with this OID in a value of type AlgorithmIdentifier
SHALL have a value of type NULL.
 rsaEncryption    OBJECT IDENTIFIER ::= { pkcs-1 1 }

Для подписи обычно используют OIDы с указанием алгоритма хеширования, такие как

md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
sha512-224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 15 }
sha512-256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 16 }

ololo · 09.02.2022 21:29:02

Здравствуйте!
При добавлении данных о подписанте, signatureAlgorithm может содержать идентификатор, который однозначно определяет алгоритмы хеширования и подписи (которые описал @vsenko), а может просто сам алгоритм. Потому как информация об алгоритме хеширования содержится в поле digestAlgorithm.
<OBJECT_IDENTIFIER Comment="NIST Algorithm" Description="sha-256">2.16.840.1.101.3.4.2.1</OBJECT_IDENTIFIER>
RFC 5652

The SignatureAlgorithmIdentifier type identifies a signature
algorithm, and it can also identify a message digest algorithm.
Examples include RSA, DSA, DSA with SHA-1, ECDSA, and ECDSA with
SHA-256.

vsenko · 10.02.2022 06:30:45

Спасибо за ответ!
Но это, конечно, не очень удобно что разные библиотеки из SDK НУЦ формируют подписи с разными OID на базе одного и того же сертификата.

ololo · 10.02.2022 07:07:18

Согласен, постараемся привести к единому формату.