[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changing signature algorithm

Trunk? The latest snapshot on ftp is 8.1 rc3 but that doesn't have peer-alg. It seems peer-alg can be used somewhere along krb5_pk_create_sign or other func to set the signatureAlgo to a desired value.

On the other point, it sounds like the signature algorithm can be kept as is but changing the oid to ...1.1.1 is really all that packetcable is requiring. It seems like an odd requirement.


----- Original Message ----

From: Love Hörnquist Åstrand <lha@kth.se>

To: heimdal-discuss@sics.se; Tom Hansen <hansentf@yahoo.com>

Sent: Wednesday, June 6, 2007 5:01:19 PM

Subject: Re: Changing signature algorithm

Hello Tom,

I thinks its one of the misuses of CMS in packet-cable. Its really  

rsa-with-sha1, but it say in the AlgoritmIdentifier its bare-rsa.  

Just checked the old code that supported packet-cable.

If you try the trunk I just added code for support of this. The  

testcase test_cms exersices this code, specificly:

hxtool cms-create-sd --peer-alg=1.2.840.113549.1.1.1 -- 

certificate=FILE:cert.pem in-file out-file

Basicly it allocates an hx509_peer_info() and say that the client  

only supports rsa and not rsa-with-sha1.

It needs adaption to the current pk-init code, but that shouldn't be  

too hard.

Can you check if that solves your problem ?


6 jun 2007 kl. 10.15 skrev Tom Hansen:

> Yes. This is a packetcable requirement that singerInfos have a  

> digestAlgo of sha1 and signatureAlgo of RSA. The function  

> rsa_create_signature() only supports RSAwithSHA1. Modifying it for  

> RSA results in recursive loop. It's not clear to me why this is.


> Tom


> ----- Original Message ----

> From: Love Hörnquist Åstrand <lha@kth.se>

> To: heimdal-discuss@sics.se; hansentf@yahoo.com

> Sent: Tuesday, June 5, 2007 11:49:04 PM

> Subject: Re: Changing signature algorithm


> > I'm trying some changes to pkinit and wanting to understand the

> > piece of code

> > below. Specifically I want to change the signature algorithm from

> > RSA with SHA1

> > to just RSA. Doing so fails since lib/hx509/crypto.c:

> > rsa_create_signature()

> > does not support it. Why?


> RSA on non-digests is not very common, already done the digest ?


> Love





> Shape Yahoo! in your own image. Join our Network Research Panel today!

Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.