Skip to content

Commit 327f0dc

Browse files
cconloncconlon
committed
JCE: skip SHA1withECDSA registration for FIPS 186-5 (v7+)
FIPS 186-5 no longer allows SHA-1 for ECDSA signatures. Only register SHA1withECDSA when not using FIPS or when using FIPS versions prior to v7 which follow FIPS 186-4.
1 parent f69945b commit 327f0dc

1 file changed

Lines changed: 9 additions & 2 deletions

File tree

src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,9 +198,16 @@ private void registerServices() {
198198
if (FeatureDetect.ShaEnabled()) {
199199
put("Signature.SHA1withRSA",
200200
"com.wolfssl.provider.jce.WolfCryptSignature$wcSHA1wRSA");
201-
put("Signature.SHA1withECDSA",
201+
202+
/* FIPS 186-5 (wolfCrypt FIPS v7+) no longer allows SHA-1 for
203+
* ECDSA signatures. Only register SHA1withECDSA when not using
204+
* FIPS, or when using FIPS versions prior to v7 which follow
205+
* FIPS 186-4. */
206+
if (!Fips.enabled || Fips.fipsVersion < 7) {
207+
put("Signature.SHA1withECDSA",
202208
"com.wolfssl.provider.jce.WolfCryptSignature$wcSHA1wECDSA");
203-
put("Alg.Alias.Signature.1.2.840.10045.4.1", "SHA1withECDSA");
209+
put("Alg.Alias.Signature.1.2.840.10045.4.1", "SHA1withECDSA");
210+
}
204211
}
205212
if (FeatureDetect.Sha224Enabled()) {
206213
put("Signature.SHA224withRSA",

0 commit comments

Comments
 (0)