commit ee6b7ede62f62c6ea4da7fbb88176762a0c1cbc2
Author: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Fri Jan 20 16:01:17 2017 -0800
Ticket #1741 ECDSA certs Alg IDs contian parameter field
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
(cherry picked from commit 76ca6d1691e56274945b6f03760273208fafd791)
(cherry picked from commit 1e567854e643f50a7ca1f24daac0e92359eafe81)
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
index 08c9c4f..a89843e 100644
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
@@ -230,10 +230,18 @@ public class AlgorithmId implements Serializable, DerEncoder {
try (DerOutputStream tmp = new DerOutputStream()) {
DerOutputStream bytes = new DerOutputStream();
bytes.putOID(algid);
- if (params == null)
- bytes.putNull();
- else
- bytes.putDerValue(params);
+
+ // omit parameter field for ECDSA
+ if (!algid.equals(sha224WithEC_oid) &&
+ !algid.equals(sha256WithEC_oid) &&
+ !algid.equals(sha384WithEC_oid) &&
+ !algid.equals(sha512WithEC_oid)) {
+ if (params == null) {
+ bytes.putNull();
+ } else
+ bytes.putDerValue(params);
+ }
+
tmp.write(DerValue.tag_Sequence, bytes);
out.write(tmp.toByteArray());
}
@@ -246,12 +254,19 @@ public class AlgorithmId implements Serializable, DerEncoder {
public final byte[] encode() throws IOException {
try (DerOutputStream out = new DerOutputStream()) {
DerOutputStream bytes = new DerOutputStream();
-
bytes.putOID(algid);
- if (params == null)
- bytes.putNull();
- else
- bytes.putDerValue(params);
+
+ // omit parameter field for ECDSA
+ if (!algid.equals(sha224WithEC_oid) &&
+ !algid.equals(sha256WithEC_oid) &&
+ !algid.equals(sha384WithEC_oid) &&
+ !algid.equals(sha512WithEC_oid)) {
+ if (params == null) {
+ bytes.putNull();
+ } else
+ bytes.putDerValue(params);
+ }
+
out.write(DerValue.tag_Sequence, bytes);
return out.toByteArray();
}
@@ -314,6 +329,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
if (name.equals("SHA1withEC") || name.equals("SHA1/EC")
|| name.equals("1.2.840.10045.4.1"))
return AlgorithmId.sha1WithEC_oid;
+ if (name.equals("SHA224withEC") || name.equals("SHA224/EC")
+ || name.equals("1.2.840.10045.4.3.1"))
+ return AlgorithmId.sha224WithEC_oid;
if (name.equals("SHA256withEC") || name.equals("SHA256/EC")
|| name.equals("1.2.840.10045.4.3.2"))
return AlgorithmId.sha256WithEC_oid;
@@ -646,6 +664,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
*/
private static final int sha1WithEC_data[] =
{ 1, 2, 840, 10045, 4, 1 };
+ private static final int sha224WithEC_data[] =
+ { 1, 2, 840, 10045, 4, 3, 1 };
private static final int sha256WithEC_data[] =
{ 1, 2, 840, 10045, 4, 3, 2 };
private static final int sha384WithEC_data[] =
@@ -676,6 +696,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
public static final ObjectIdentifier sha1WithEC_oid = new
ObjectIdentifier(sha1WithEC_data);
+ public static final ObjectIdentifier sha224WithEC_oid = new
+ ObjectIdentifier(sha224WithEC_data);
+
public static final ObjectIdentifier sha256WithEC_oid = new
ObjectIdentifier(sha256WithEC_data);