You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Scott Cantor (JIRA)" <ji...@apache.org> on 2010/12/07 19:34:22 UTC

[jira] Updated: (SANTUARIO-86) SHA256 Signature with SHA1 OID

     [ https://issues.apache.org/jira/browse/SANTUARIO-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Cantor updated SANTUARIO-86:
----------------------------------

    Fix Version/s: C++ 1.5.1
         Assignee:     (was: XML Security Developers Mailing List)

> SHA256 Signature with SHA1 OID
> ------------------------------
>
>                 Key: SANTUARIO-86
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-86
>             Project: Santuario
>          Issue Type: Bug
>          Components: C++
>    Affects Versions: C++ 1.2.0
>         Environment: Operating System: All
> Platform: All
>            Reporter: Randy Eye
>             Fix For: C++ 1.5.1
>
>
> I am using the 1.2.1 C++ library to validate an XML document signed with an
> RSA-SHA256 signature (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256).  The
> library expects the OID value within the decrypted signature to be the ASN.1 BER
> encoding for SHA1 (even though it will properly calculate a SHA256 hash for
> comparison).
> According to RFC4051, Section 2.3.2, the OID in the signed portion must be the
> ASN.1 BER SHA-256 algorithm designator for RSA-SHA256.   In looking at this
> code, I believe that this bug exists for all versions of SHA other than SHA1.
> If the XSEC library is used to produce the signature, the SHA1 OID is pre-pended
> to the hash and the validation is successful (although out of specification and
> not interoperable with other implementations).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.