harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Li" <liyilei1...@gmail.com>
Subject Re: [classlib][security]Problems about certificate signed by SHA1withDSA?
Date Wed, 10 Jan 2007 05:26:43 GMT
Thank you, Stepan.

On 1/9/07, Stepan Mishura <stepan.mishura@gmail.com> wrote:
>
> Hi Leo,
>
> I'll look more closely into all your questions when I sort out all unread
> e-mails.
> See my quick comments below.
>
> On 1/4/07, Leo Li wrote:
> >
> > Hi, all:
> >     I am now trying to switch the security provider for Harmony, but I
> > have
> > a problem:
> >     If the normal certificate signed by SHA1withDSA is decoded by
> harmony
> > ASN1 decoder, we will get an algorithm as  "
> > 1.3.14.3.2.26with1.2.840.10040.4.1". Although bouncycastle really has
> such
> > signature instance, RI security provider does not have such algorithm.
> >     RI has a signature  for " 1.3.14.3.2.27" , which is SHA1withDSA.
> >     But what makes things worse is that in
> > org.apache.harmony.security.utils.JarUtil, if the security providers has
> > no
> > "1.3.14.3.2.26with1.2.840.10040.4.1" signature, a " 1.3.14.3.2.26" will
> be
> > sought instead, while some other provider has a SHA1withRSA signature
> for
> > it, which does not fit the situation.(Luckily enough RI has no such
> > signature.)
> >     So my question is:
> >      1.Whether the "1.3.14.3.2.26with1.2.840.10040.4.1" is the same as "
> > 1.3.14.3.2.27" signature?
>
>
> Yes, they are the same. We have the following correspondence:
> 1.3.14.3.2.26 - SHA1 hash algorithm
> 1.3.14.3.2.27 - DSA with SHA-1 signature algorithm
> 1.2.840.10040.4.1 - DSA hash algorithm
>
> So: SHA1withDSA == 1.3.14.3.2.27 == 1.3.14.3.2.26with1.2.840.10040.4.1
>
>
> >      2.What is the real digit representation of the signature stored in
> > the
> > certificate?
>
>
> Raw bytes: see java.security.cert.X509Certificate#getSignature()
> "Gets the signature value (the raw signature bits) from the certificate"
>
> Thanks,
> -Stepan.
>
>   Furthermore, the bcprov.jar itself has a certificate signed by the
> > SHA1withDSA, but actually the signature is provided by itself. Thus the
> > signature is absent at the time of loading the jar. Although it does not
> > matter since the JarVerifier will let it pass as if no certificate
> existed
> >
> > when the signature instance is not available, is it more reasonable if
> we
> > are able to add the support for such signature in bootstrap security
> > providers of Harmony, such as DRLCertFactory or CryptoProvider?
> >
> >   Thanks.
> > --
> > Leo Li
> > China Software Development Lab, IBM
> >
> >
>
>
> --
> Stepan Mishura
> Intel Enterprise Solutions Software Division
>
>


-- 
Leo Li
China Software Development Lab, IBM

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message