> No, C++ lib doesn't support SHA-256 or stronger. It supports only MD5 > and SHA1 due to Windows CryptoAPI and OpenSSL limitations.
Thanks, didn't realize that. > However, if you don't trust SHA1 anymore, you should consider that many > digital certificates used for signing are signed using SHA1 (or even > MD5) digest algs. :( The recent attack is not my concern so much as the reliance on a single hash supported by the library instead of at least a few different options. My point being that if we don't have more algorithms in common between different libraries, when and if SHA-1 gets totally broken, everyone is screwed. I also think it's a mistake for XMLSig and similar specs to require only one or two algorithms be supported. It's a recipe for a big mess later, seems to me. -- Scott
