Return-Path: 
 <harmony-dev-return-3809-apmail-incubator-harmony-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-harmony-dev-archive@www.apache.org
Received: (qmail 53828 invoked from network); 10 Feb 2006 11:37:08 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 10 Feb 2006 11:37:08 -0000
Received: (qmail 51339 invoked by uid 500); 10 Feb 2006 11:37:01 -0000
Delivered-To: apmail-incubator-harmony-dev-archive@incubator.apache.org
Received: (qmail 51269 invoked by uid 500); 10 Feb 2006 11:37:00 -0000
Mailing-List: contact harmony-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:harmony-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:harmony-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:harmony-dev@incubator.apache.org>
List-Id: <harmony-dev.incubator.apache.org>
Reply-To: harmony-dev@incubator.apache.org
Delivered-To: mailing list harmony-dev@incubator.apache.org
Received: (qmail 51258 invoked by uid 99); 10 Feb 2006 11:37:00 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Feb 2006 03:37:00 -0800
X-ASF-Spam-Status: No, hits=2.6 required=10.0
	tests=RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of george.c.harley@googlemail.com
 designates 66.249.92.207 as permitted sender)
Received: from [66.249.92.207] (HELO uproxy.gmail.com) (66.249.92.207)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Feb 2006 03:36:59 -0800
Received: by uproxy.gmail.com with SMTP id y2so207461uge
        for <harmony-dev@incubator.apache.org>;
 Fri, 10 Feb 2006 03:36:37 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=googlemail.com;
        h=received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding;
        b=nFW+H4b+6X0TYSK2HlFegAUbViQg/OWEx/+fRAe8XNxpu2hjXPzSnoZX6/09YCU7+v6i0ioo1TIU5I/wDQ1OHpnZU6NhqJT11irLvj6TxQujdk0w5Dd8vvOxEV2ZMW90SloSSLLK59EPkhC2yc2Kz3xfMqMsHijbK+cJO6AvUd8=
Received: by 10.49.34.18 with SMTP id m18mr2831879nfj;
        Fri, 10 Feb 2006 03:36:37 -0800 (PST)
Received: from ?9.20.183.165? ( [195.212.29.67])
        by mx.gmail.com with ESMTP id z73sm646605nfb.2006.02.10.03.36.36;
        Fri, 10 Feb 2006 03:36:36 -0800 (PST)
Message-ID: <43EC7AC3.1010202@googlemail.com>
Date: Fri, 10 Feb 2006 11:36:35 +0000
From: George Harley <george.c.harley@googlemail.com>
Reply-To: george.c.harley@googlemail.com
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: harmony-dev@incubator.apache.org
Subject: Re: verifying signed jars
References: <43EB3119.8030801@gmail.com>
 <43EB3550.2030000@pobox.com>	 <43EB4AEF.70005@googlemail.com>
 <43EB82D9.7070405@gmail.com>	 <43EB8D67.4080509@pobox.com>
	 <6e47b64f0602092246k20dca2b3wbb4154bcb1e85089@mail.gmail.com>
	 <43EC604E.3040706@gmail.com> <43EC6F59.10603@googlemail.com>
 <6e47b64f0602100251p298009d1g24cb83768f039ccc@mail.gmail.com>
In-Reply-To: <6e47b64f0602100251p298009d1g24cb83768f039ccc@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Hi Stepan,

In the short term, yes, SHA-1 and DSA should suffice for verifying the 
BouncyCastle provider jar. Long term though, Harmony will also need to 
support the MD5 and RSA algorithms for other providers that may have 
been signed with those algorithms. While the Jar file specification does 
not mandate a set of digest and signature algorithms that may be used 
for signing, it should be noted that the reference jarsigner tool 
supports both DSA+SHA-1 and RSA+MD5.

Best regards,
George
IBM UK

PS, Keeping my fingers crossed this ends up on the dev-list :-)


Stepan Mishura wrote:
>
> We should have at least to verify BC provider:
> 1) Message digest algorithm: SHA-1
> 2) Signature algorithm: SHA1withDSA
>
> Other jars may require additional algorithms, for example, 
> SHA1withRSA. We can verify BC provider first and use it for further 
> jar verifications.
>
>  
> Thanks,
> Stepan Mishura
> Intel Middleware Products Division
>
>
>  
> On 2/10/06, *George Harley* <george.c.harley@googlemail.com 
> <mailto:george.c.harley@googlemail.com>> wrote:
>
>     Hi Tim,
>
>     In order to verify the signature of those signed provider jars I
>     believe
>     that you would also need trusted implementations of :
>
>     * SHA-1 and MD5 digest algorithms
>     * DSA and RSA signature algorithms
>
>
>     Best regards,
>     George
>     IBM UK
>
>
>     Tim Ellison wrote:
>     > Stepan Mishura wrote:
>     > <snip>
>     >
>     >> Returning back to the 'missing post'. I agreed with suggestion
>     but currently
>     >> we don't have Harmony provider so we should define how we
>     locate 'trusted
>     >> provides' to be secure.
>     >>
>     >
>     > We just need a trusted SHA1PRNG, right? then we can open signed
>     > providers' jars and get any others.
>     >
>     > Regards,
>     > Tim
>     >
>     >
>
>
>
>
> --