DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40085>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40085 Summary: SHA256 Signature with SHA1 OID Product: Security Version: C++ 1.2.0 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: C++ Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] I am using the 1.2.1 C++ library to validate an XML document signed with an RSA-SHA256 signature (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256). The library expects the OID value within the decrypted signature to be the ASN.1 BER encoding for SHA1 (even though it will properly calculate a SHA256 hash for comparison). According to RFC4051, Section 2.3.2, the OID in the signed portion must be the ASN.1 BER SHA-256 algorithm designator for RSA-SHA256. In looking at this code, I believe that this bug exists for all versions of SHA other than SHA1. If the XSEC library is used to produce the signature, the SHA1 OID is pre-pended to the hash and the validation is successful (although out of specification and not interoperable with other implementations). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
