2010/1/14 Kai Chan <[email protected]>: > Hi, > > NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c > (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c), > but will ECDSA with SHA256 and higher be supported in the future? Or is > this something as simple as adding to the switch statement, since the other > EC signature OIDs exist in SECOIDTag > (http://mxr.mozilla.org/security/source/security/nss/lib/util/secoidt.h): > SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE = 277, > SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE = 278, > SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279, > SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280,
The switch statement determines the default signature algorithm OID if the caller doesn't specify it (by passing algID=SEC_OID_UNKNOWN). You can pass algID=SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE to SEC_DERSignData() to generate an ECDSA-with-SHA-256 signature. We may want to change the default ECDSA OID in that switch statement to SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE at some point, since Suite B requires at least SHA-256. Wan-Teh -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
