Signature algorithms in TLS certificates – Digital Certificates and Certification Authorities

10.5.4 Signature algorithms in TLS certificates

In Chapter 9, Digital Signatures, we learned that TLS 1.3 has two extensions for client Bob to specify which signature algorithms shall be used in the TLS session with server Alice:

• The signature˙algorithms extension specifies algorithms to be used for signatures in CertificateVerify messages
• The signature˙algorithms˙cert extension, if used, specifies algorithms to be used for signatures in certificates

The signature˙algorithms extension was introduced in TLS version 1.2 so that the client can indicate to the server which signature algorithms and hash algorithms can be used in digital signatures of that particular TLS session.

The signature˙algorithms˙cert extension was added in TLS version 1.3 so that TLS endpoints that support different sets of algorithms for certificates and in the TLS itself can clearly communicate their capabilities. RFC 8446 specifies that TLS 1.2 implementations should also process this extension.

In these extensions, the extension˙data field contains a list of SignatureScheme values in a descending order of client Bob’s preference. Each such value is a single signature algorithm that Bob is willing to verify.

Bob may use signature˙algorithms˙cert extension to tell Alice which certificate-specific signature algorithms he wants to use to validate X.509 certificates. Otherwise, if the signature˙algorithms˙cert is omitted, algorithms specified in signature˙algorithms are also used for calculating and verifying digital signatures in certificates.

As a result, using the signature˙algorithms˙cert extension, TLS clients that support different sets of algorithms for certificates and in the TLS itself can signal this to a TLS server in an unambiguous way.

If client Bob wants server Alice to authenticate herself using a certificate, he must send at least the signature˙algorithms extension (optionally, Bob may also send Alice the signature˙algorithms˙cert extension).

If server Alice can only authenticate herself using a certificate but client Bob sends no signature˙algorithms extension, then Alice immediately aborts the TLS handshake and sends a missing˙extension alert.