Closed netmackan closed 1 year ago
ebourg
commented
1 year ago Thank you, but it looks like it breaks one of the unit tests:
PESignerTest.testWithSignatureAlgorithmSHA256withRSAandMGF1:542 Digest algorithm expected:<2.16.840.1.101.3.4.2.1> but was:<1.3.14.3.2.26>
coveralls
commented
1 year ago Coverage increased (+0.03%) to 81.642% when pulling b3e65e408196d208fc5f1bac8fb80e1e9a2fcbdb on netmackan:fb-SHA2-DigestAlgorithmIdentifier-withNull-2 into ab06acebdb9f0bb38b347a3a7b6350d61bf70cbd on ebourg:master.
netmackan
commented
1 year ago I have pushed an update to the PR. I made a mix-up with which digest algorithm to look at. Before it used the configured digestAlgorithm while it should actually use the digest algorithm from the ContentSigner (i.e. being the digest algorithm from the signature algorithm).
ebourg
commented
1 year ago Merged, thank you!
Solves the difference in signature output as discussed in #139 by making sure that the digest algorithm identifier contains the parameters and if not includes a DER NULL. With this change the ASN.1 of a signature created with signtool is identical to what was produced by Jsign.
Note that this implementation still uses the DefaultDigestAlgorithmIdentifierFinder in order to support existing and future algorithms with other parameters (today I believe only Ed448 would have a digest algorithm with parameters but may be others). The method is marked protected so that it can be overriden in case it turns out some special case would need some other logic.