harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Harley <george.c.har...@googlemail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 11:57:46 GMT
Hi Mikhail,


Mikhail Loenko wrote:
> More implementatoins we have in Harmony - less we depend on third parties.
>
> I think SHA-1 and DSA is something to start with.
>
> Makes sense?
>   

Makes sense.


> Thanks,
> Mikhail
>
> On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
>   
>> Hi Stepan,
>>
>> In the short term, yes, SHA-1 and DSA should suffice for verifying the
>> BouncyCastle provider jar. Long term though, Harmony will also need to
>> support the MD5 and RSA algorithms for other providers that may have
>> been signed with those algorithms. While the Jar file specification does
>> not mandate a set of digest and signature algorithms that may be used
>> for signing, it should be noted that the reference jarsigner tool
>> supports both DSA+SHA-1 and RSA+MD5.
>>
>> Best regards,
>> George
>> IBM UK
>>
>> PS, Keeping my fingers crossed this ends up on the dev-list :-)
>>
>>
>> Stepan Mishura wrote:
>>     
>>> We should have at least to verify BC provider:
>>> 1) Message digest algorithm: SHA-1
>>> 2) Signature algorithm: SHA1withDSA
>>>
>>> Other jars may require additional algorithms, for example,
>>> SHA1withRSA. We can verify BC provider first and use it for further
>>> jar verifications.
>>>
>>>
>>> Thanks,
>>> Stepan Mishura
>>> Intel Middleware Products Division
>>>
>>>
>>>
>>> On 2/10/06, *George Harley* <george.c.harley@googlemail.com
>>> <mailto:george.c.harley@googlemail.com>> wrote:
>>>
>>>     Hi Tim,
>>>
>>>     In order to verify the signature of those signed provider jars I
>>>     believe
>>>     that you would also need trusted implementations of :
>>>
>>>     * SHA-1 and MD5 digest algorithms
>>>     * DSA and RSA signature algorithms
>>>
>>>
>>>     Best regards,
>>>     George
>>>     IBM UK
>>>
>>>
>>>     Tim Ellison wrote:
>>>     > Stepan Mishura wrote:
>>>     > <snip>
>>>     >
>>>     >> Returning back to the 'missing post'. I agreed with suggestion
>>>     but currently
>>>     >> we don't have Harmony provider so we should define how we
>>>     locate 'trusted
>>>     >> provides' to be secure.
>>>     >>
>>>     >
>>>     > We just need a trusted SHA1PRNG, right? then we can open signed
>>>     > providers' jars and get any others.
>>>     >
>>>     > Regards,
>>>     > Tim
>>>     >
>>>     >
>>>
>>>
>>>
>>>
>>> --
>>>       
>>     
>
>   

Best regards,
George

Mime
View raw message