<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
oh, and I forgot to mention that I submitted the revocation request
through EE CMC revocation (on an RHCS 8.1 CA instance) and the
certificate was promptly revoked.<br>
<br>
Christina<br>
<br>
On 09/25/2012 08:46 PM, Christina Fu wrote:
<blockquote cite="mid:50627A89.9080407@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Jamil,<br>
<br>
I tried to reproduce your issue, but I seemed to be able to
generate CMC revocation request with SHA-256 digest. I have to
admit that my main development machine is RHEL and I work on
RHCS8.1 tree.<br>
<br>
I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the
exception with DSA), compiled, and it just worked. Did you do
anything different?<br>
<br>
I could see in dumpasn1 where SHA245 is in place:<br>
<pre> C-Sequence (13)
Object Identifier (9)
1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption)
NULL (0)
</pre>
Christina<br>
<br>
On 09/19/2012 11:19 AM, Christina Fu wrote:
<blockquote cite="mid:505A0C9D.1000709@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Jamil,<br>
<br>
We made an effort to support SHA2 where we can but might have
missed a few places. I'll look into this and hopefully be able
to get back to you in a few days.<br>
<br>
thanks,<br>
Christina<br>
<br>
On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
<blockquote
cite="mid:6A95FA630FB5124C886BAD159CDBA1F016D5CA54@wdc1exchmbxp05.hq.corp.viasat.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle">
<!--
p
{margin-top:0px;
margin-bottom:0px}
-->
P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;">
<div style="direction: ltr; font-family: Tahoma; color:
rgb(0, 0, 0); font-size: 10pt;">
<p>Hello Dogtag Gurus,</p>
<p> </p>
<p>I have been trying to issue CMC revocation messages
signed with SHA-256, but the server fails to validate
the message in the CMCAuth java policy module. If I
leave all fields the same but change the signature
algorithm to SHA-1 then everything seems to work fine.</p>
<p> </p>
<p>I suspect this is another side-effect of the root-cause
for bug 824624. It seems like in certain cases with JSS
4.2.6 when PKCS#7 messages are created using any of the
SHA-2 variants, the OIDs get messed up. This happened
with SCEP responses from the CA (the bug referenced
above) and I had it happen with the CMC revoke
modifications I made. The latter issue was fixed by
pulling down JSS 4.3 and loading that jar in the
classpath for the modified CMCRevoke tool. However, on
the server side I ended up seeing verification failures.<br>
</p>
<p> </p>
<p>I'm running pki-common-9.0.20, jss 4.2.6, and NSS
3.13.4. At one point I had heard that Dogtag 9.0.X
wasn't 100% safe to run with JSS 4.3 or later. Is that
still the case with the latest 9.0 packages?</p>
<p><br>
</p>
<p>Has anyone had any success generating these CMC
messages using SHA-2 hash algs and getting Dogtag to
accept them?</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Jamil<br>
</p>
</div>
</div>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>