C++ lib support for SHA-256, etc.?

[Scott Cantor <ca...@osu.edu>]

In light of the recent talk about SHA-1 being weakened, does the C++ xmlsec
library support the stronger SHA hashing algorithms at this point?

I see the constants defined in the Java version, but I can't use them if
they won't interop.

I suspect adding the support isn't too hard, but I don't have an ASF contrib
form on file, so it's not a simple matter for me to donate the work if I do
it, so I thought I'd ask first.

-- Scott

Re: C++ lib support for SHA-256, etc.?

[Berin Lautenbach <be...@wingsofhermes.org>]

Scott,

Just been reading about it.  (Was away for a few days.)

The reason it's not there now is neither Windows CAPI nor OpenSSL 
supported -256 or -512 when the hashing functions were first implemented.

I notice the development branch of OpenSSL now includes SHA-256/512 so I 
might look at compiling up 0.9.8-dev and see how it goes.

Otherwise we'll have to actually implement the algorithm.  Mind you - 
that's not that difficult to do, it's just not likely to be as quick as 
the OpenSSL implementation.

Cheers,
	Berin

Scott Cantor wrote:
> In light of the recent talk about SHA-1 being weakened, does the C++ xmlsec
> library support the stronger SHA hashing algorithms at this point?
> 
> I see the constants defined in the Java version, but I can't use them if
> they won't interop.
> 
> I suspect adding the support isn't too hard, but I don't have an ASF contrib
> form on file, so it's not a simple matter for me to donate the work if I do
> it, so I thought I'd ask first.
> 
> -- Scott
> 
> 
> 

RE: C++ lib support for SHA-256, etc.?

[Scott Cantor <ca...@osu.edu>]

> No, C++ lib doesn't support SHA-256 or stronger. It supports only MD5
> and SHA1 due to Windows CryptoAPI and OpenSSL limitations.

Thanks, didn't realize that.

> However, if you don't trust SHA1 anymore, you should consider that many
> digital certificates used for signing are signed using SHA1 (or even
> MD5) digest algs. :(

The recent attack is not my concern so much as the reliance on a single hash
supported by the library instead of at least a few different options. My
point being that if we don't have more algorithms in common between
different libraries, when and if SHA-1 gets totally broken, everyone is
screwed.

I also think it's a mistake for XMLSig and similar specs to require only one
or two algorithms be supported. It's a recipe for a big mess later, seems to
me.

-- Scott

RE: C++ lib support for SHA-256, etc.?

[Milan Tomic <mi...@setcce.org>]

No, C++ lib doesn't support SHA-256 or stronger. It supports only MD5
and SHA1 due to Windows CryptoAPI and OpenSSL limitations.

However, if you don't trust SHA1 anymore, you should consider that many
digital certificates used for signing are signed using SHA1 (or even
MD5) digest algs. :(

Best regards,
Milan


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu] 
> Sent: Wednesday, February 16, 2005 7:21 PM
> To: security-dev@xml.apache.org
> Subject: C++ lib support for SHA-256, etc.?
> 
> 
> In light of the recent talk about SHA-1 being weakened, does 
> the C++ xmlsec library support the stronger SHA hashing 
> algorithms at this point?
> 
> I see the constants defined in the Java version, but I can't 
> use them if they won't interop.
> 
> I suspect adding the support isn't too hard, but I don't have 
> an ASF contrib form on file, so it's not a simple matter for 
> me to donate the work if I do it, so I thought I'd ask first.
> 
> -- Scott
>