Hi Stepan,
In the short term, yes, SHA-1 and DSA should suffice for verifying the
BouncyCastle provider jar. Long term though, Harmony will also need to
support the MD5 and RSA algorithms for other providers that may have
been signed with those algorithms. While the Jar file specification does
not mandate a set of digest and signature algorithms that may be used
for signing, it should be noted that the reference jarsigner tool
supports both DSA+SHA-1 and RSA+MD5.
Best regards,
George
IBM UK
PS, Keeping my fingers crossed this ends up on the dev-list :-)
Stepan Mishura wrote:
We should have at least to verify BC provider:
1) Message digest algorithm: SHA-1
2) Signature algorithm: SHA1withDSA
Other jars may require additional algorithms, for example,
SHA1withRSA. We can verify BC provider first and use it for further
jar verifications.
Thanks,
Stepan Mishura
Intel Middleware Products Division
On 2/10/06, *George Harley* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi Tim,
In order to verify the signature of those signed provider jars I
believe
that you would also need trusted implementations of :
* SHA-1 and MD5 digest algorithms
* DSA and RSA signature algorithms
Best regards,
George
IBM UK
Tim Ellison wrote:
> Stepan Mishura wrote:
> <snip>
>
>> Returning back to the 'missing post'. I agreed with suggestion
but currently
>> we don't have Harmony provider so we should define how we
locate 'trusted
>> provides' to be secure.
>>
>
> We just need a trusted SHA1PRNG, right? then we can open signed
> providers' jars and get any others.
>
> Regards,
> Tim
>
>
--
