[Pki-users] SHA-256 signed CMC revocation messages failing to verify on server

Christina Fu cfu at redhat.com
Wed Sep 19 18:19:09 UTC 2012


Hi Jamil,

We made an effort to support SHA2 where we can but might have missed a 
few places.  I'll look into this and hopefully be able to get back to 
you in a few days.

thanks,
Christina

On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
>
> Hello Dogtag Gurus,
>
> I have been trying to issue CMC revocation messages signed with 
> SHA-256, but the server fails to validate the message in the CMCAuth 
> java policy module.  If I leave all fields the same but change the 
> signature algorithm to SHA-1 then everything seems to work fine.
>
> I suspect this is another side-effect of the root-cause for bug 
> 824624.  It seems like in certain cases with JSS 4.2.6 when PKCS#7 
> messages are created using any of the SHA-2 variants, the OIDs get 
> messed up.  This happened with SCEP responses from the CA (the bug 
> referenced above) and I had it happen with the CMC revoke 
> modifications I made.  The latter issue was fixed by pulling down JSS 
> 4.3 and loading that jar in the classpath for the modified CMCRevoke 
> tool.  However, on the server side I ended up seeing verification 
> failures.
>
> I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4.  At one 
> point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS 
> 4.3 or later.  Is that still the case with the latest 9.0 packages?
>
>
> Has anyone had any success generating these CMC messages using SHA-2 
> hash algs and getting Dogtag to accept them?
>
>
> Thanks,
>
> Jamil
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120919/86790d75/attachment.htm>


More information about the Pki-users mailing list