diff options
| author | Christina Fu <cfu@dhcp-16-189.sjc.redhat.com> | 2017-01-20 16:01:17 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@dhcp-16-189.sjc.redhat.com> | 2017-01-26 11:20:19 -0800 |
| commit | 76ca6d1691e56274945b6f03760273208fafd791 (patch) | |
| tree | f338955177636ba97f4129b4ff541aec88498875 /base/util | |
| parent | 48cefdea31e62d49c8b728576d29e0f298141a04 (diff) | |
| download | pki-76ca6d1691e56274945b6f03760273208fafd791.tar.gz pki-76ca6d1691e56274945b6f03760273208fafd791.tar.xz pki-76ca6d1691e56274945b6f03760273208fafd791.zip | |
Ticket #1741 ECDSA certs Alg IDs contian parameter field
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
Diffstat (limited to 'base/util')
| -rw-r--r-- | base/util/src/netscape/security/x509/AlgorithmId.java | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java index 08c9c4f46..a89843e0a 100644 --- a/base/util/src/netscape/security/x509/AlgorithmId.java +++ b/base/util/src/netscape/security/x509/AlgorithmId.java @@ -230,10 +230,18 @@ public class AlgorithmId implements Serializable, DerEncoder { try (DerOutputStream tmp = new DerOutputStream()) { DerOutputStream bytes = new DerOutputStream(); bytes.putOID(algid); - if (params == null) - bytes.putNull(); - else - bytes.putDerValue(params); + + // omit parameter field for ECDSA + if (!algid.equals(sha224WithEC_oid) && + !algid.equals(sha256WithEC_oid) && + !algid.equals(sha384WithEC_oid) && + !algid.equals(sha512WithEC_oid)) { + if (params == null) { + bytes.putNull(); + } else + bytes.putDerValue(params); + } + tmp.write(DerValue.tag_Sequence, bytes); out.write(tmp.toByteArray()); } @@ -246,12 +254,19 @@ public class AlgorithmId implements Serializable, DerEncoder { public final byte[] encode() throws IOException { try (DerOutputStream out = new DerOutputStream()) { DerOutputStream bytes = new DerOutputStream(); - bytes.putOID(algid); - if (params == null) - bytes.putNull(); - else - bytes.putDerValue(params); + + // omit parameter field for ECDSA + if (!algid.equals(sha224WithEC_oid) && + !algid.equals(sha256WithEC_oid) && + !algid.equals(sha384WithEC_oid) && + !algid.equals(sha512WithEC_oid)) { + if (params == null) { + bytes.putNull(); + } else + bytes.putDerValue(params); + } + out.write(DerValue.tag_Sequence, bytes); return out.toByteArray(); } @@ -314,6 +329,9 @@ public class AlgorithmId implements Serializable, DerEncoder { if (name.equals("SHA1withEC") || name.equals("SHA1/EC") || name.equals("1.2.840.10045.4.1")) return AlgorithmId.sha1WithEC_oid; + if (name.equals("SHA224withEC") || name.equals("SHA224/EC") + || name.equals("1.2.840.10045.4.3.1")) + return AlgorithmId.sha224WithEC_oid; if (name.equals("SHA256withEC") || name.equals("SHA256/EC") || name.equals("1.2.840.10045.4.3.2")) return AlgorithmId.sha256WithEC_oid; @@ -646,6 +664,8 @@ public class AlgorithmId implements Serializable, DerEncoder { */ private static final int sha1WithEC_data[] = { 1, 2, 840, 10045, 4, 1 }; + private static final int sha224WithEC_data[] = + { 1, 2, 840, 10045, 4, 3, 1 }; private static final int sha256WithEC_data[] = { 1, 2, 840, 10045, 4, 3, 2 }; private static final int sha384WithEC_data[] = @@ -676,6 +696,9 @@ public class AlgorithmId implements Serializable, DerEncoder { public static final ObjectIdentifier sha1WithEC_oid = new ObjectIdentifier(sha1WithEC_data); + public static final ObjectIdentifier sha224WithEC_oid = new + ObjectIdentifier(sha224WithEC_data); + public static final ObjectIdentifier sha256WithEC_oid = new ObjectIdentifier(sha256WithEC_data); |