[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changing signature algorithm

Hello Tom,

I thinks its one of the misuses of CMS in packet-cable. Its really  
rsa-with-sha1, but it say in the AlgoritmIdentifier its bare-rsa.  
Just checked the old code that supported packet-cable.

If you try the trunk I just added code for support of this. The  
testcase test_cms exersices this code, specificly:

hxtool cms-create-sd --peer-alg=1.2.840.113549.1.1.1 -- 
certificate=FILE:cert.pem in-file out-file

Basicly it allocates an hx509_peer_info() and say that the client  
only supports rsa and not rsa-with-sha1.
It needs adaption to the current pk-init code, but that shouldn't be  
too hard.

Can you check if that solves your problem ?


6 jun 2007 kl. 10.15 skrev Tom Hansen:

> Yes. This is a packetcable requirement that singerInfos have a  
> digestAlgo of sha1 and signatureAlgo of RSA. The function  
> rsa_create_signature() only supports RSAwithSHA1. Modifying it for  
> RSA results in recursive loop. It's not clear to me why this is.
> Tom
> ----- Original Message ----
> From: Love Hörnquist Åstrand <lha@kth.se>
> To: heimdal-discuss@sics.se; hansentf@yahoo.com
> Sent: Tuesday, June 5, 2007 11:49:04 PM
> Subject: Re: Changing signature algorithm
> > I'm trying some changes to pkinit and wanting to understand the
> > piece of code
> > below. Specifically I want to change the signature algorithm from
> > RSA with SHA1
> > to just RSA. Doing so fails since lib/hx509/crypto.c:
> > rsa_create_signature()
> > does not support it. Why?
> RSA on non-digests is not very common, already done the digest ?
> Love
> Shape Yahoo! in your own image. Join our Network Research Panel today!