stackoom
  简体   繁体   中英

Wrong vertificate signature algorithm in X509Certificate for SHA256withDSA using Java

 原文  2015-06-10 06:24:17       java/ ssl/ certificate/ x509certificate

Question

I am having certificate with key type DSA, bit length 1024, Signature algorithm SHA256:

I am converting it to X509Certificate in java. When I am trying to get signature algorithm from X509Certificate I am getting something like 2.16.840.1.101.3.4.3.2.

CertificateFactory factory=CertificateFactory.getInstance("X.509");
X509Certificate cert=(X509Certificate) factory.generateCertificate(inputStream);
    System.out.println(cert.getSigAlgName());

Above method working for all other type (getting name correctly as SHA256withRSA ). Not working for SHA256withDSA (getting 2.16.840.1.101.3.4.3.2 Expecting SHA256withDSA ). How can I get correct signature algorithm from certificate? Is there any other way to do it?

2 answers

solution1
 0  2018-10-08 13:15:31

According X.509 specification Section 4.1.2.3

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate.

This field MUST contain the same algorithm identifier as the signatureAlgorithm field in the sequence Certificate (Section 4.1.1.2). The contents of the optional parameters field will vary according to the algorithm identified. [RFC3279], [RFC4055], and [RFC4491] list supported signature algorithms, but other signature algorithms MAY also be supported.

It's means X509Certificate#getSigAlgName returned algorithm used by the CA to sign the certificate, not algorithm used by end user (from current certificate) to sign data/document .

If you need take end-user algorithm, you must using another way.

Eventually you can use one certificate for differents compatible signature algorithms. Example: RSA certificate for SHA1withRSA and SHA256withRSA

solution2
 -1  2015-06-10 08:48:28

Here is the code I tried in Eclipse:

     InputStream inStream = null;
     try {
         inStream = new FileInputStream("<cert-file-name-with-path>");
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
         X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
         System.out.println("##"+cert.getSigAlgName()+"##"+cert.getSigAlgOID()+"##"+cert.getType());
     } finally {
         if (inStream != null) {
             inStream.close();
         }
     }

Output:

SHA256withDSA##2.16.840.1.101.3.4.3.2##X.509

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Android Studio 2.0 - NoSuchAlgorithmException: SHA256WITHDSA Signature not available SHA256 fingerprint from X509Certificate Generating X509Certificate with BouncyCastle with Java Generate x509certificate certpath in JAVA Java: Get X509Certificate Issuers Java X509Certificate issuer validation Unable to Load an X509Certificate into an XML Digital Signature Bouncy Castle Getting content from signature and X509Certificate How to extract the digest algorithm from a X509Certificate Create X509Certificate from PKCS7 PEM formatted certificate using BouncyCastle in Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM