Skip to main content

3. PKCS

3. PKCS #1 v1.5 SignatureScheme Types

The following SignatureScheme values are defined for use with TLS 1.3.

enum {
rsa_pkcs1_sha256_legacy(0x0420),
rsa_pkcs1_sha384_legacy(0x0520),
rsa_pkcs1_sha512_legacy(0x0620),
} SignatureScheme;

These code points indicate a signature algorithm using RSASSA-PKCS1-v1_5 [RFC8017] with the corresponding hash algorithm defined in [SHS]. They are only defined for signatures in the client CertificateVerify message and are not defined for any other context.

Servers that intend to advertise support for RSASSA-PKCS1-v1_5 signatures in certificates themselves should use the rsa_pkcs1_* constants defined in [RFC8446]. Clients MUST NOT advertise the legacy values in the signature_algorithms extension of ClientHello and MUST NOT accept them in the server CertificateVerify message.

Servers that support clients authenticating with legacy RSASSA-PKCS1-v1_5-only keys MAY send these values in the signature_algorithms extension of CertificateRequest and accept them in the client CertificateVerify message. Servers MUST NOT accept these code points if they were not offered in CertificateRequest. Clients with such legacy keys MAY negotiate these signature algorithms when offered by the server.

Clients SHOULD NOT negotiate these algorithms with keys that support RSASSA-PSS, though this may not be practical to determine in all applications. TLS implementations SHOULD disable these code points by default.