Re: verifying signed jars

Sun, 12 Feb 2006 23:17:33 -0800 

Hello Mikhail Loenko,
:-) I'm just wondering whether it's possible to change/improve BouncyCastle to meet our requirement. 

Richard Liang
China Software Development Lab, IBM



Mikhail Loenko wrote:

How will it solve our problem with verifying signed jars?

Thanks,
Mikhail

On 2/13/06, Richard Liang <[EMAIL PROTECTED]> wrote:

  

That's a good idea :-)

Richard Liang
China Software Development Lab, IBM



Tim Ellison wrote:

    

Why not contribute directly to BouncyCastle?

Regards,
Tim

Mikhail Loenko wrote:


      

The sources would be good - we would be able to fix bugs quickly and replace
parts of implementation for example where our code is faster.

Thanks,
Mikhail

On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote:


        

Heh.  Everything we will do is legal :)

The point is - would taking some source from BC be the smart thing to do
- would it be complete, and what kind of maintenance burden would this
be going forward?  Would some kind of re-packaged artifact from the BC
project itself be better?

Do we need source?  Could we have a step where we re-package BC code in
a form more suited for our purposes?

geir

Mikhail Loenko wrote:


          

We can if it is legal

Thanks,
Mikhail

On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote:


            

So I'll ask the obvious - can we borrow some of this from BC?

Stepan Mishura wrote:


              

We should have at least to verify BC provider:
1) Message digest algorithm: SHA-1
2) Signature algorithm: SHA1withDSA

Other jars may require additional algorithms, for example, SHA1withRSA. We
can verify BC provider first and use it for further jar verifications.

Thanks,
Stepan Mishura
Intel Middleware Products Division



On 2/10/06, George Harley <[EMAIL PROTECTED]> wrote:


                

Hi Tim,

In order to verify the signature of those signed provider jars I believe
that you would also need trusted implementations of :

* SHA-1 and MD5 digest algorithms
* DSA and RSA signature algorithms


Best regards,
George
IBM UK


Tim Ellison wrote:


                  

Stepan Mishura wrote:
<snip>



                    

Returning back to the 'missing post'. I agreed with suggestion but


                      

currently


                  

we don't have Harmony provider so we should define how we locate


                      

'trusted


                  

provides' to be secure.



                      

We just need a trusted SHA1PRNG, right? then we can open signed
providers' jars and get any others.

Regards,
Tim




                    

--



                

      

    



  






















					Reply via email to