harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stepan Mishura" <stepan.mish...@gmail.com>
Subject Re: [classlib][security]Problems about certificate signed by SHA1withDSA?
Date Thu, 11 Jan 2007 07:20:53 GMT
Hi Leo,

On 1/4/07, Leo Li wrote:

> Hi, all:
>     I am now trying to switch the security provider for Harmony, but I
> have
> a problem:


I assume that you replaced BC provider with RI's. Right?

    If the normal certificate signed by SHA1withDSA is decoded by harmony
> ASN1 decoder, we will get an algorithm as  "
> 1.3.14.3.2.26with1.2.840.10040.4.1". Although bouncycastle really has such
> signature instance, RI security provider does not have such algorithm.
>     RI has a signature  for "1.3.14.3.2.27" , which is SHA1withDSA.


I think we should improve the algorithm. We should first map "1.3.14.3.2.26"
to "SHA1" and "1.2.840.10040.4.1" to "DSA" and try to look for "SHA1withDSA"
signature algorithm.

    But what makes things worse is that in
> org.apache.harmony.security.utils.JarUtil, if the security providers has
> no
> "1.3.14.3.2.26with1.2.840.10040.4.1" signature, a "1.3.14.3.2.26" will be
> sought instead, while some other provider has a SHA1withRSA signature for
> it, which does not fit the situation.(Luckily enough RI has no such
> signature.)


This looks a bit strange. It doesn't make sense for me to search for "
1.3.14.3.2.26" signature algorithm because this OID was assigned to
SHA-1 hash algorithm - I think this should be removed. Also OID for
SHA1withRSA is "1.3.14.3.2.29" - I have no idea why 'other provider' use
SHA1's oid for it. Could you try "1.3.14.3.2.29" for this provider?

    So my question is:
>      1.Whether the "1.3.14.3.2.26with1.2.840.10040.4.1" is the same as "
> 1.3.14.3.2.27" signature?
>      2.What is the real digit representation of the signature stored in
> the
> certificate?
>
>    Furthermore, the bcprov.jar itself has a certificate signed by the
> SHA1withDSA, but actually the signature is provided by itself. Thus the
> signature is absent at the time of loading the jar. Although it does not
> matter since the JarVerifier will let it pass as if no certificate existed
> when the signature instance is not available, is it more reasonable if we
> are able to add the support for such signature in bootstrap security
> providers of Harmony, such as DRLCertFactory or CryptoProvider?


But we have support for SHA1withDSA signature algorithm. See
modules/security/
  src/main/java/common/

org/apache/harmony/security/provider/crypto/SHA1withDSA_SignatureImpl.java

Thanks,
Stepan.

  Thanks.
> --
> Leo Li
> China Software Development Lab, IBM
>
>


-- 
Stepan Mishura
Intel Enterprise Solutions Software Division

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message