John O Goyo <[EMAIL PROTECTED]> writes: >That would explain its presence in a certificate we parsed. We found the OID >1.3.14.3.2.29 {iso(1) identified-organization(3) oiw(14) secsig(3) >algorithms(2) sha-1WithRSAEncryption(29)} in a certificate where RFC 2459 >specified another OID. > >I shall investigate the Java connection.
There are others as well, e.g. an obsolete DSA one that ended up in CDSA (so presumably OS X crypto will use it) and the German PKI work, and a variety of other odd bits and pieces. In general you need a many-to-one mapping where on write you emit the most appropriate OID and on read you allow any one of a number of OIDs, including incorrect ones (the JDK one is actually dsaWithSHA0, but it's used as if it was dsaWithSHA1). And while we're on the topic of SHA-1 with RSA, don't forget rsaSignatureWithsha1 (1 3 36 3 3 1 1). Peter.