Skip to Content.
Sympa Menu

mace-opensaml-users - Re: SHA256

Subject: OpenSAML user discussion

List archive

Re: SHA256


Chronological Thread 
  • From: Marius Scurtescu <>
  • To: Scott Cantor <>
  • Cc:
  • Subject: Re: SHA256
  • Date: Tue, 08 Mar 2005 11:23:08 -0800
  • Organization: Sxip Identity Corp.

Scott Cantor wrote:
I say 'mostly' because there still is a digest inside the SAML which
is done with SHA1 and I could not find a way to make this one use
SHA256.


All I do is pass in whatever algorithm you give me. If xmlsec is internally
forcing SHA-1, it's not because I told it to, so I don't know that I can
override it, but if you say you managed it...

What happens if you pass in the ALGO_ID_SIGNATURE_RSA_SHA256 constant to
sign()?

That is exactly what I did, and the signatures ends up as expected,
SHA256.

The only problem I can see is the fact that the digest is still done
using SHA1 and there is no parameter to override this. The digest
flag MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256 seems to be the
recommended one, but SHA1 is the only required (in xmlsec 1.2.1).


However, this is all academic. The C++ library and openssl don't support
SHA256 yet, so it's a moot point unless your interest is solely to talk to
implementations you control.

I know that OpenSSL does not support this. We control both ends so this
is not an issue for us.


From an interop standpoint, it turns out that RSA-SHA1 is it (excluding
DSA). This is a problem, IMHO, but it's not one we can fix in code because
the spec only required SHA-1.

-- Scott


Thanks,
Marius


  • SHA256, Marius Scurtescu, 03/08/2005
    • RE: SHA256, Scott Cantor, 03/08/2005
      • Re: SHA256, Marius Scurtescu, 03/08/2005

Archive powered by MHonArc 2.6.16.

Top of Page