0

Is anyone also having trouble with the W3C RSA-SHA256 algorithm to sign XML ? I'm using it to do a XML Digital Signature but I'm not able to use it since the page has been moved, see: https://www.w3.org/2001/04/xmldsig-more#rsa-sha256

I'm forced to used the RSA-SHA1 which I don't want to use because it's stated as deprecated for my purpose and I cannot validate the crate securely with the SHA1.

Any solution on how to use the SHA256 ?

Thanks

I'm using it like this: SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, (C14NMethodParameterSpec) null), fac.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha256", null), references);

And I get the error java.security.NoSuchAlgorithmException: unsupported algorithm.

I used different sources such as Oracle doc or https://learn.microsoft.com/en-us/windows/win32/seccrypto/xml-digital-signature-cryptographic-algorithms and as you can see in the last one, many of them are unusable !

Daftus
  • 21
  • 5
  • yes, `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` appears to be [the right string](http://www.docjar.com/html/api/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java.html), have you tried it? Apparently also available as a `RSA_SHA256` named constant. – teapot418 Apr 04 '23 at 13:17
  • Thank you so much ! I used `SignatureMethod.RSA_SHA256` and apparently it worked. I always thought I had to put an actual URI as algorithm, thank you – Daftus Apr 04 '23 at 13:38
  • Great, let's make that into an answer then. – teapot418 Apr 04 '23 at 13:45

1 Answers1

0

Looking at the source code at http://www.docjar.com/html/api/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java.html

the 2001 string is correct http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 instead of your 2000 one.

Or you can use the SignatureMethod.RSA_SHA256 constant which should resolve to the same thing.

teapot418
  • 1,239
  • 1
  • 3
  • 9