Re: [classlib][security]Problems about certificate signed by SHA1withDSA?

Tue, 09 Jan 2007 21:27:06 -0800 

Thank you, Stepan.

On 1/9/07, Stepan Mishura <[EMAIL PROTECTED]> wrote:


Hi Leo,

I'll look more closely into all your questions when I sort out all unread
e-mails.
See my quick comments below.

On 1/4/07, Leo Li wrote:
>
> Hi, all:
>     I am now trying to switch the security provider for Harmony, but I
> have
> a problem:
>     If the normal certificate signed by SHA1withDSA is decoded by
harmony
> ASN1 decoder, we will get an algorithm as  "
> 1.3.14.3.2.26with1.2.840.10040.4.1". Although bouncycastle really has
such
> signature instance, RI security provider does not have such algorithm.
>     RI has a signature  for " 1.3.14.3.2.27" , which is SHA1withDSA.
>     But what makes things worse is that in
> org.apache.harmony.security.utils.JarUtil, if the security providers has
> no
> "1.3.14.3.2.26with1.2.840.10040.4.1" signature, a " 1.3.14.3.2.26" will
be
> sought instead, while some other provider has a SHA1withRSA signature
for
> it, which does not fit the situation.(Luckily enough RI has no such
> signature.)
>     So my question is:
>      1.Whether the "1.3.14.3.2.26with1.2.840.10040.4.1" is the same as "
> 1.3.14.3.2.27" signature?


Yes, they are the same. We have the following correspondence:
1.3.14.3.2.26 - SHA1 hash algorithm
1.3.14.3.2.27 - DSA with SHA-1 signature algorithm
1.2.840.10040.4.1 - DSA hash algorithm

So: SHA1withDSA == 1.3.14.3.2.27 == 1.3.14.3.2.26with1.2.840.10040.4.1


>      2.What is the real digit representation of the signature stored in
> the
> certificate?


Raw bytes: see java.security.cert.X509Certificate#getSignature()
"Gets the signature value (the raw signature bits) from the certificate"

Thanks,
-Stepan.

  Furthermore, the bcprov.jar itself has a certificate signed by the
> SHA1withDSA, but actually the signature is provided by itself. Thus the
> signature is absent at the time of loading the jar. Although it does not
> matter since the JarVerifier will let it pass as if no certificate
existed
>
> when the signature instance is not available, is it more reasonable if
we
> are able to add the support for such signature in bootstrap security
> providers of Harmony, such as DRLCertFactory or CryptoProvider?
>
>   Thanks.
> --
> Leo Li
> China Software Development Lab, IBM
>
>


--
Stepan Mishura
Intel Enterprise Solutions Software Division





--
Leo Li
China Software Development Lab, IBM






















					Reply via email to