harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Liang <richard.lian...@gmail.com>
Subject Re: verifying signed jars
Date Mon, 13 Feb 2006 07:16:11 GMT
Hello Mikhail Loenko,

:-) I'm just wondering whether it's possible to change/improve 
BouncyCastle to meet our requirement.

Richard Liang
China Software Development Lab, IBM



Mikhail Loenko wrote:
> How will it solve our problem with verifying signed jars?
>
> Thanks,
> Mikhail
>
> On 2/13/06, Richard Liang <richard.liangyx@gmail.com> wrote:
>   
>> That's a good idea :-)
>>
>> Richard Liang
>> China Software Development Lab, IBM
>>
>>
>>
>> Tim Ellison wrote:
>>     
>>> Why not contribute directly to BouncyCastle?
>>>
>>> Regards,
>>> Tim
>>>
>>> Mikhail Loenko wrote:
>>>
>>>       
>>>> The sources would be good - we would be able to fix bugs quickly and replace
>>>> parts of implementation for example where our code is faster.
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>>
>>>>         
>>>>> Heh.  Everything we will do is legal :)
>>>>>
>>>>> The point is - would taking some source from BC be the smart thing to
do
>>>>> - would it be complete, and what kind of maintenance burden would this
>>>>> be going forward?  Would some kind of re-packaged artifact from the BC
>>>>> project itself be better?
>>>>>
>>>>> Do we need source?  Could we have a step where we re-package BC code
in
>>>>> a form more suited for our purposes?
>>>>>
>>>>> geir
>>>>>
>>>>> Mikhail Loenko wrote:
>>>>>
>>>>>           
>>>>>> We can if it is legal
>>>>>>
>>>>>> Thanks,
>>>>>> Mikhail
>>>>>>
>>>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>>>>
>>>>>>             
>>>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>>>
>>>>>>> Stepan Mishura wrote:
>>>>>>>
>>>>>>>               
>>>>>>>> We should have at least to verify BC provider:
>>>>>>>> 1) Message digest algorithm: SHA-1
>>>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>>>
>>>>>>>> Other jars may require additional algorithms, for example,
SHA1withRSA. We
>>>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Stepan Mishura
>>>>>>>> Intel Middleware Products Division
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com>
wrote:
>>>>>>>>
>>>>>>>>                 
>>>>>>>>> Hi Tim,
>>>>>>>>>
>>>>>>>>> In order to verify the signature of those signed provider
jars I believe
>>>>>>>>> that you would also need trusted implementations of :
>>>>>>>>>
>>>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>>>> * DSA and RSA signature algorithms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> George
>>>>>>>>> IBM UK
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Tim Ellison wrote:
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>>>> Stepan Mishura wrote:
>>>>>>>>>> <snip>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>> Returning back to the 'missing post'. I agreed
with suggestion but
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>> currently
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>>>>> we don't have Harmony provider so we should define
how we locate
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>> 'trusted
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>>>>> provides' to be secure.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can
open signed
>>>>>>>>>> providers' jars and get any others.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>       
>>     
>
>   

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message