You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Scott Cantor (JIRA)" <ji...@apache.org> on 2010/12/07 19:34:22 UTC
[jira] Updated: (SANTUARIO-86) SHA256 Signature with SHA1 OID
[ https://issues.apache.org/jira/browse/SANTUARIO-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Cantor updated SANTUARIO-86:
----------------------------------
Fix Version/s: C++ 1.5.1
Assignee: (was: XML Security Developers Mailing List)
> SHA256 Signature with SHA1 OID
> ------------------------------
>
> Key: SANTUARIO-86
> URL: https://issues.apache.org/jira/browse/SANTUARIO-86
> Project: Santuario
> Issue Type: Bug
> Components: C++
> Affects Versions: C++ 1.2.0
> Environment: Operating System: All
> Platform: All
> Reporter: Randy Eye
> Fix For: C++ 1.5.1
>
>
> I am using the 1.2.1 C++ library to validate an XML document signed with an
> RSA-SHA256 signature (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256). The
> library expects the OID value within the decrypted signature to be the ASN.1 BER
> encoding for SHA1 (even though it will properly calculate a SHA256 hash for
> comparison).
> According to RFC4051, Section 2.3.2, the OID in the signed portion must be the
> ASN.1 BER SHA-256 algorithm designator for RSA-SHA256. In looking at this
> code, I believe that this bug exists for all versions of SHA other than SHA1.
> If the XSEC library is used to produce the signature, the SHA1 OID is pre-pended
> to the hash and the validation is successful (although out of specification and
> not interoperable with other implementations).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.