<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Jamil,<br>
<br>
We made an effort to support SHA2 where we can but might have missed
a few places. I'll look into this and hopefully be able to get back
to you in a few days.<br>
<br>
thanks,<br>
Christina<br>
<br>
On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
<blockquote
cite="mid:6A95FA630FB5124C886BAD159CDBA1F016D5CA54@wdc1exchmbxp05.hq.corp.viasat.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle">
<!--
p
{margin-top:0px;
margin-bottom:0px}
-->
P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">
<div style="direction: ltr; font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;">
<p>Hello Dogtag Gurus,</p>
<p> </p>
<p>I have been trying to issue CMC revocation messages signed
with SHA-256, but the server fails to validate the message
in the CMCAuth java policy module. If I leave all fields
the same but change the signature algorithm to SHA-1 then
everything seems to work fine.</p>
<p> </p>
<p>I suspect this is another side-effect of the root-cause for
bug 824624. It seems like in certain cases with JSS 4.2.6
when PKCS#7 messages are created using any of the SHA-2
variants, the OIDs get messed up. This happened with SCEP
responses from the CA (the bug referenced above) and I had
it happen with the CMC revoke modifications I made. The
latter issue was fixed by pulling down JSS 4.3 and loading
that jar in the classpath for the modified CMCRevoke tool.
However, on the server side I ended up seeing verification
failures.<br>
</p>
<p> </p>
<p>I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4.
At one point I had heard that Dogtag 9.0.X wasn't 100% safe
to run with JSS 4.3 or later. Is that still the case with
the latest 9.0 packages?</p>
<p><br>
</p>
<p>Has anyone had any success generating these CMC messages
using SHA-2 hash algs and getting Dogtag to accept them?</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Jamil<br>
</p>
</div>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>