[Pki-users] SHA-256 signed CMC revocation messages failing to verify on server

Christina Fu cfu at redhat.com
Wed Sep 26 03:46:17 UTC 2012 

Hi Jamil,

I tried to reproduce your issue, but I seemed to be able to generate CMC 
revocation request with SHA-256 digest.  I have to admit that my main 
development machine is RHEL and I work on RHCS8.1 tree.

I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the exception 
with DSA), compiled, and it just worked.  Did you do anything different?

I could see in dumpasn1 where SHA245 is in place:

                C-Sequence  (13)
                   Object Identifier  (9)
                      1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption)
                   NULL  (0)

Christina

On 09/19/2012 11:19 AM, Christina Fu wrote:
> Hi Jamil,
>
> We made an effort to support SHA2 where we can but might have missed a 
> few places.  I'll look into this and hopefully be able to get back to 
> you in a few days.
>
> thanks,
> Christina
>
> On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
>>
>> Hello Dogtag Gurus,
>>
>> I have been trying to issue CMC revocation messages signed with 
>> SHA-256, but the server fails to validate the message in the CMCAuth 
>> java policy module.  If I leave all fields the same but change the 
>> signature algorithm to SHA-1 then everything seems to work fine.
>>
>> I suspect this is another side-effect of the root-cause for bug 
>> 824624.  It seems like in certain cases with JSS 4.2.6 when PKCS#7 
>> messages are created using any of the SHA-2 variants, the OIDs get 
>> messed up.  This happened with SCEP responses from the CA (the bug 
>> referenced above) and I had it happen with the CMC revoke 
>> modifications I made.  The latter issue was fixed by pulling down JSS 
>> 4.3 and loading that jar in the classpath for the modified CMCRevoke 
>> tool.  However, on the server side I ended up seeing verification 
>> failures.
>>
>> I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4.  At one 
>> point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS 
>> 4.3 or later.  Is that still the case with the latest 9.0 packages?
>>
>>
>> Has anyone had any success generating these CMC messages using SHA-2 
>> hash algs and getting Dogtag to accept them?
>>
>>
>> Thanks,
>>
>> Jamil
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120925/577b763e/attachment.htm>

More information about the Pki-users mailing list