oh, and I forgot to mention that I submitted the revocation request through EE CMC revocation (on an RHCS 8.1 CA instance) and the certificate was promptly revoked.

Christina

On 09/25/2012 08:46 PM, Christina Fu wrote:
Hi Jamil,

I tried to reproduce your issue, but I seemed to be able to generate CMC revocation request with SHA-256 digest.  I have to admit that my main development machine is RHEL and I work on RHCS8.1 tree.

I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the exception with DSA), compiled, and it just worked.  Did you do anything different?

I could see in dumpasn1 where SHA245 is in place:
               C-Sequence  (13)
                  Object Identifier  (9)
                     1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption)
                  NULL  (0)
Christina

On 09/19/2012 11:19 AM, Christina Fu wrote:
Hi Jamil,

We made an effort to support SHA2 where we can but might have missed a few places.  I'll look into this and hopefully be able to get back to you in a few days.

thanks,
Christina

On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:

Hello Dogtag Gurus,

 

I have been trying to issue CMC revocation messages signed with SHA-256, but the server fails to validate the message in the CMCAuth java policy module.  If I leave all fields the same but change the signature algorithm to SHA-1 then everything seems to work fine.

 

I suspect this is another side-effect of the root-cause for bug 824624.  It seems like in certain cases with JSS 4.2.6 when PKCS#7 messages are created using any of the SHA-2 variants, the OIDs get messed up.  This happened with SCEP responses from the CA (the bug referenced above) and I had it happen with the CMC revoke modifications I made.  The latter issue was fixed by pulling down JSS 4.3 and loading that jar in the classpath for the modified CMCRevoke tool.  However, on the server side I ended up seeing verification failures.

 

I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4.  At one point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS 4.3 or later.  Is that still the case with the latest 9.0 packages?


Has anyone had any success generating these CMC messages using SHA-2 hash algs and getting Dogtag to accept them?


Thanks,

Jamil


_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users


_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users


_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users