<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style id="owaParaStyle">  P {margin-top:0;margin-bottom:0;}</style> </head> <body ocsi="0" fpstyle="1"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <p>Hello Dogtag Gurus,</p> <p> </p> <p>I have been trying to issue CMC revocation messages signed with SHA-256, but the server fails to validate the message in the CMCAuth java policy module. If I leave all fields the same but change the signature algorithm to SHA-1 then everything seems to work fine.</p> <p> </p> <p>I suspect this is another side-effect of the root-cause for bug 824624. It seems like in certain cases with JSS 4.2.6 when PKCS#7 messages are created using any of the SHA-2 variants, the OIDs get messed up. This happened with SCEP responses from the CA (the bug referenced above) and I had it happen with the CMC revoke modifications I made. The latter issue was fixed by pulling down JSS 4.3 and loading that jar in the classpath for the modified CMCRevoke tool. However, on the server side I ended up seeing verification failures.<br> </p> <p> </p> <p>I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4. At one point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS 4.3 or later. Is that still the case with the latest 9.0 packages?</p> <p><br> </p> <p>Has anyone had any success generating these CMC messages using SHA-2 hash algs and getting Dogtag to accept them?</p> <p><br> </p> <p>Thanks,</p> <p>Jamil<br> </p> </div> </div> </body> </html>