[Pki-users] SHA-256 signed CMC revocation messages failing to verify on server
Christina Fu
cfu at redhat.com
Wed Sep 26 03:48:27 UTC 2012
oh, and I forgot to mention that I submitted the revocation request
through EE CMC revocation (on an RHCS 8.1 CA instance) and the
certificate was promptly revoked.
Christina
On 09/25/2012 08:46 PM, Christina Fu wrote:
> Hi Jamil,
>
> I tried to reproduce your issue, but I seemed to be able to generate
> CMC revocation request with SHA-256 digest. I have to admit that my
> main development machine is RHEL and I work on RHCS8.1 tree.
>
> I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the exception
> with DSA), compiled, and it just worked. Did you do anything different?
>
> I could see in dumpasn1 where SHA245 is in place:
> C-Sequence (13)
> Object Identifier (9)
> 1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption)
> NULL (0)
> Christina
>
> On 09/19/2012 11:19 AM, Christina Fu wrote:
>> Hi Jamil,
>>
>> We made an effort to support SHA2 where we can but might have missed
>> a few places. I'll look into this and hopefully be able to get back
>> to you in a few days.
>>
>> thanks,
>> Christina
>>
>> On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
>>>
>>> Hello Dogtag Gurus,
>>>
>>> I have been trying to issue CMC revocation messages signed with
>>> SHA-256, but the server fails to validate the message in the CMCAuth
>>> java policy module. If I leave all fields the same but change the
>>> signature algorithm to SHA-1 then everything seems to work fine.
>>>
>>> I suspect this is another side-effect of the root-cause for bug
>>> 824624. It seems like in certain cases with JSS 4.2.6 when PKCS#7
>>> messages are created using any of the SHA-2 variants, the OIDs get
>>> messed up. This happened with SCEP responses from the CA (the bug
>>> referenced above) and I had it happen with the CMC revoke
>>> modifications I made. The latter issue was fixed by pulling down
>>> JSS 4.3 and loading that jar in the classpath for the modified
>>> CMCRevoke tool. However, on the server side I ended up seeing
>>> verification failures.
>>>
>>> I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4. At one
>>> point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS
>>> 4.3 or later. Is that still the case with the latest 9.0 packages?
>>>
>>>
>>> Has anyone had any success generating these CMC messages using SHA-2
>>> hash algs and getting Dogtag to accept them?
>>>
>>>
>>> Thanks,
>>>
>>> Jamil
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120925/dc42c02c/attachment.htm>
More information about the Pki-users
mailing list