About signature algorithm and provider name in SignedObject spec

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

About signature algorithm and provider name in SignedObject spec

Weijun Wang
The class spec of SignedObject.java [1] contains:

* <pre>{@code
* Signature signingEngine = Signature.getInstance(algorithm,
*                                                 provider);
* SignedObject so = new SignedObject(myobject, signingKey,
*                                    signingEngine);
* }</pre>
...
* <p> The signature algorithm can be, among others, the NIST standard
* DSA, using DSA and SHA-256.  The algorithm is specified using the
* same convention as that for signatures. The DSA algorithm using the
* SHA-256 message digest algorithm can be specified, for example, as
* "SHA256withDSA".  In the case of
* RSA or EC the signing algorithm could be specified as, for example,
* "SHA256withRSA" or "SHA256withECDSA".  The algorithm name must be
* specified, as there is no default.
*
* <p> The name of the Cryptography Package Provider is designated
* also by the Signature parameter to the constructor and the
* {@code verify} method.  If the provider is not
* specified, the default provider is used.  Each installation can
* be configured to use a particular provider as default.

While the signature algorithm and provider name can be interpreted as those used in the example, I think there is no need to describe them in so much detail in the class spec. The class contains no API that needs the signature algorithm or a provider name. All is needed is just a Signature object.

getAlgorithm() returns the algorithm but it's not input.

I suggest removing the last 2 paragraphs above, and IMO no CSR is needed.

Thanks
Max

[1] https://docs.oracle.com/javase/9/docs/api/java/security/SignedObject.html
Reply | Threaded
Open this post in threaded view
|

Re: About signature algorithm and provider name in SignedObject spec

Sean Mullan
On 1/10/18 11:44 PM, Weijun Wang wrote:

> The class spec of SignedObject.java [1] contains:
>
> * <pre>{@code
> * Signature signingEngine = Signature.getInstance(algorithm,
> *                                                 provider);
> * SignedObject so = new SignedObject(myobject, signingKey,
> *                                    signingEngine);
> * }</pre>
> ...
> * <p> The signature algorithm can be, among others, the NIST standard
> * DSA, using DSA and SHA-256.  The algorithm is specified using the
> * same convention as that for signatures. The DSA algorithm using the
> * SHA-256 message digest algorithm can be specified, for example, as
> * "SHA256withDSA".  In the case of
> * RSA or EC the signing algorithm could be specified as, for example,
> * "SHA256withRSA" or "SHA256withECDSA".  The algorithm name must be
> * specified, as there is no default.
> *
> * <p> The name of the Cryptography Package Provider is designated
> * also by the Signature parameter to the constructor and the
> * {@code verify} method.  If the provider is not
> * specified, the default provider is used.  Each installation can
> * be configured to use a particular provider as default.
>
> While the signature algorithm and provider name can be interpreted as those used in the example, I think there is no need to describe them in so much detail in the class spec. The class contains no API that needs the signature algorithm or a provider name. All is needed is just a Signature object.
>
> getAlgorithm() returns the algorithm but it's not input.
>
> I suggest removing the last 2 paragraphs above, and IMO no CSR is needed.

Sounds good. I agree no CSR is needed.

--Sean