Wrong vertificate signature algorithm in X509Certificate for SHA256withDSA using Java

2.1k views Asked by At

I am having certificate with key type DSA, bit length 1024, Signature algorithm SHA256:

I am converting it to X509Certificate in java. When I am trying to get signature algorithm from X509Certificate I am getting something like 2.16.840.1.101.3.4.3.2.

CertificateFactory factory=CertificateFactory.getInstance("X.509");
X509Certificate cert=(X509Certificate) factory.generateCertificate(inputStream);
    System.out.println(cert.getSigAlgName());

Above method working for all other type (getting name correctly as SHA256withRSA). Not working for SHA256withDSA (getting 2.16.840.1.101.3.4.3.2 Expecting SHA256withDSA). How can I get correct signature algorithm from certificate? Is there any other way to do it?

2

There are 2 answers

3
Chaitanya P On

Here is the code I tried in Eclipse:

     InputStream inStream = null;
     try {
         inStream = new FileInputStream("<cert-file-name-with-path>");
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
         X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
         System.out.println("##"+cert.getSigAlgName()+"##"+cert.getSigAlgOID()+"##"+cert.getType());
     } finally {
         if (inStream != null) {
             inStream.close();
         }
     }

Output:

SHA256withDSA##2.16.840.1.101.3.4.3.2##X.509

0
Темка тоже On

According X.509 specification Section 4.1.2.3

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate.

This field MUST contain the same algorithm identifier as the signatureAlgorithm field in the sequence Certificate (Section 4.1.1.2). The contents of the optional parameters field will vary according to the algorithm identified. [RFC3279], [RFC4055], and [RFC4491] list supported signature algorithms, but other signature algorithms MAY also be supported.

It's means X509Certificate#getSigAlgName returned algorithm used by the CA to sign the certificate, not algorithm used by end user (from current certificate) to sign data/document.

If you need take end-user algorithm, you must using another way.

Eventually you can use one certificate for differents compatible signature algorithms. Example: RSA certificate for SHA1withRSA and SHA256withRSA