Re: [Pki-users] SHA-256 signed CMC revocation messages failing to verify on server

Hi Jamil, I tried to reproduce your issue, but I seemed to be able to generate CMC revocation request with SHA-256 digest. I have to admit that my main development machine is RHEL and I work on RHCS8.1 tree. I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the exception with DSA), compiled, and it just worked. Did you do anything different? I could see in dumpasn1 where SHA245 is in place: C-Sequence (13) Object Identifier (9) 1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption) NULL (0) Christina On 09/19/2012 11:19 AM, Christina Fu wrote: > Hi Jamil, > > We made an effort to support SHA2 where we can but might have missed > a few places. I'll look into this and hopefully be able to get back > to you in a few days. > > thanks, > Christina > > On 09/19/2012 12:44 AM, Nimeh, Jamil wrote: >> >> Hello Dogtag Gurus, >> >> I have been trying to issue CMC revocation messages signed with >> SHA-256, but the server fails to validate the message in the CMCAuth >> java policy module. If I leave all fields the same but change the >> signature algorithm to SHA-1 then everything seems to work fine. >> >> I suspect this is another side-effect of the root-cause for bug >> 824624. It seems like in certain cases with JSS 4.2.6 when PKCS#7 >> messages are created using any of the SHA-2 variants, the OIDs get >> messed up. This happened with SCEP responses from the CA (the bug >> referenced above) and I had it happen with the CMC revoke >> modifications I made. The latter issue was fixed by pulling down >> JSS 4.3 and loading that jar in the classpath for the modified >> CMCRevoke tool. However, on the server side I ended up seeing >> verification failures. >> >> I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4. At one >> point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS >> 4.3 or later. Is that still the case with the latest 9.0 packages? >> >> >> Has anyone had any success generating these CMC messages using SHA-2 >> hash algs and getting Dogtag to accept them? >> >> >> Thanks, >> >> Jamil >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users