mace-opensaml-users - Re: SHA256
Subject: OpenSAML user discussion
List archive
- From: Marius Scurtescu <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: SHA256
- Date: Tue, 08 Mar 2005 11:23:08 -0800
- Organization: Sxip Identity Corp.
Scott Cantor wrote:
I say 'mostly' because there still is a digest inside the SAML which
is done with SHA1 and I could not find a way to make this one use
SHA256.
All I do is pass in whatever algorithm you give me. If xmlsec is internally
forcing SHA-1, it's not because I told it to, so I don't know that I can
override it, but if you say you managed it...
What happens if you pass in the ALGO_ID_SIGNATURE_RSA_SHA256 constant to
sign()?
That is exactly what I did, and the signatures ends up as expected,
SHA256.
The only problem I can see is the fact that the digest is still done
using SHA1 and there is no parameter to override this. The digest
flag MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256 seems to be the
recommended one, but SHA1 is the only required (in xmlsec 1.2.1).
However, this is all academic. The C++ library and openssl don't support
SHA256 yet, so it's a moot point unless your interest is solely to talk to
implementations you control.
I know that OpenSSL does not support this. We control both ends so this
is not an issue for us.
From an interop standpoint, it turns out that RSA-SHA1 is it (excludingDSA). This is a problem, IMHO, but it's not one we can fix in code because
the spec only required SHA-1.
-- Scott
Thanks,
Marius
- SHA256, Marius Scurtescu, 03/08/2005
- RE: SHA256, Scott Cantor, 03/08/2005
- Re: SHA256, Marius Scurtescu, 03/08/2005
- RE: SHA256, Scott Cantor, 03/08/2005
- Re: SHA256, Marius Scurtescu, 03/08/2005
- RE: SHA256, Scott Cantor, 03/08/2005
Archive powered by MHonArc 2.6.16.