harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Loenko <mloe...@gmail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 11:53:40 GMT
More implementatoins we have in Harmony - less we depend on third parties.

I think SHA-1 and DSA is something to start with.

Makes sense?

Thanks,
Mikhail

On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
> Hi Stepan,
>
> In the short term, yes, SHA-1 and DSA should suffice for verifying the
> BouncyCastle provider jar. Long term though, Harmony will also need to
> support the MD5 and RSA algorithms for other providers that may have
> been signed with those algorithms. While the Jar file specification does
> not mandate a set of digest and signature algorithms that may be used
> for signing, it should be noted that the reference jarsigner tool
> supports both DSA+SHA-1 and RSA+MD5.
>
> Best regards,
> George
> IBM UK
>
> PS, Keeping my fingers crossed this ends up on the dev-list :-)
>
>
> Stepan Mishura wrote:
> >
> > We should have at least to verify BC provider:
> > 1) Message digest algorithm: SHA-1
> > 2) Signature algorithm: SHA1withDSA
> >
> > Other jars may require additional algorithms, for example,
> > SHA1withRSA. We can verify BC provider first and use it for further
> > jar verifications.
> >
> >
> > Thanks,
> > Stepan Mishura
> > Intel Middleware Products Division
> >
> >
> >
> > On 2/10/06, *George Harley* <george.c.harley@googlemail.com
> > <mailto:george.c.harley@googlemail.com>> wrote:
> >
> >     Hi Tim,
> >
> >     In order to verify the signature of those signed provider jars I
> >     believe
> >     that you would also need trusted implementations of :
> >
> >     * SHA-1 and MD5 digest algorithms
> >     * DSA and RSA signature algorithms
> >
> >
> >     Best regards,
> >     George
> >     IBM UK
> >
> >
> >     Tim Ellison wrote:
> >     > Stepan Mishura wrote:
> >     > <snip>
> >     >
> >     >> Returning back to the 'missing post'. I agreed with suggestion
> >     but currently
> >     >> we don't have Harmony provider so we should define how we
> >     locate 'trusted
> >     >> provides' to be secure.
> >     >>
> >     >
> >     > We just need a trusted SHA1PRNG, right? then we can open signed
> >     > providers' jars and get any others.
> >     >
> >     > Regards,
> >     > Tim
> >     >
> >     >
> >
> >
> >
> >
> > --
>
>

Mime
View raw message