<div dir="ltr"><br><div class="gmail_extra">I think it belongs in </div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">diff --git a/lib/public_key/asn1/PKIX1Algorithms88.asn1 b/lib/public_key/asn1/PKIX1Algorithms88.asn1</div><div class="gmail_extra">index 6cc6745..13ac6fa 100644</div><div class="gmail_extra">--- a/lib/public_key/asn1/PKIX1Algorithms88.asn1</div><div class="gmail_extra">+++ b/lib/public_key/asn1/PKIX1Algorithms88.asn1</div><div class="gmail_extra">@@ -40,6 +40,12 @@</div><div class="gmail_extra">   }</div><div class="gmail_extra">    -- encoding for DSA signature generated with SHA-1 hash</div><div class="gmail_extra"> </div><div class="gmail_extra">+id-dsa-with-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)</div><div class="gmail_extra">++        country(16) us(840) organization(1) gov(101) csor(3)</div><div class="gmail_extra">++        nistalgorithm(4) sigalgs(3) 2 }</div><div class="gmail_extra">++</div><div class="gmail_extra">+   </div><div class="gmail_extra">+</div><div class="gmail_extra">    Dss-Sig-Value  ::=  SEQUENCE  {</div><div class="gmail_extra">       r       INTEGER,</div><div class="gmail_extra">       s       INTEGER  }</div><div><br></div></div><div class="gmail_extra">You are welcome to submit a PR.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Regards Ingela Erlang/OTP - Team Ericsson AB</div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-15 18:12 GMT+02:00 Per Hedeland <span dir="ltr"><<a href="mailto:per@hedeland.org" target="_blank">per@hedeland.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 2018-05-15 15:08, Ingela Andin wrote:<br>
> Hi!<br>
> <br>
> I think that the oid is missing due to an oversight in adding it when crypto was updated to support it. For some reason (which I do not know)  early versions of crypto did only<br>
> support sha1 (sha) with dsa.<br>
<br>
</span>Afer further digging, I think it's just a matter of "evolution" - the<br>
'id-dsa-with-sha1' oid is defined in asn1/PKIX1Algorithms88.asn1, but<br>
'id-dsa-with-sha256' is a more recent thing, and neither defined there<br>
nor in any of the other modules i the asn1 directory, and I'm not sure<br>
it "belongs" in any of them.<br>
<br>
The definitions that can be found on the 'net agree on the numerical oid<br>
elements, but there are actually at least two variants on the<br>
(irrelevant here) naming of them - the one under "DSA with SHA-2 family"<br>
on<br>
<a href="https://csrc.nist.gov/Projects/Computer-Security-Objects-Register/Algorithm-Registration" rel="noreferrer" target="_blank">https://csrc.nist.gov/<wbr>Projects/Computer-Security-<wbr>Objects-Register/Algorithm-<wbr>Registration</a><br>
seems pretty authoritative to me:-), but it's not given as part of any<br>
ASN.1 module AFAIU. However<br>
<a href="https://www.itu.int/ITU-T/formal-language/itu-t/x/x509/2016/AlgorithmObjectIdentifiers.html" rel="noreferrer" target="_blank">https://www.itu.int/ITU-T/<wbr>formal-language/itu-t/x/x509/<wbr>2016/<wbr>AlgorithmObjectIdentifiers.<wbr>html</a><br>
seems to do that, with a module that also includes most but not all of<br>
the definitions that are handled by public_key:pkix_sign_types/1..<wbr>.<br>
<span class="gmail-"><br>
> The correct oid name should be in the generated include file included in public_key.hrl <br>
<br>
</span>Well it isn't, since it isn't defined in any of the modules in the asn1<br>
directory. But anyway, just dropping the definition from above into the<br>
one of them that seems to have most of the definitions handled by<br>
pkix_sign_types/1 makes for a slighly nicer diff (below).<br>
<span class="gmail-"><br>
> Without looking into this further, I suspect that  the passing of the suites, could be due to that the  actual sha function used is a result of the "hash_sign negotiation"  that depends on the<br>
> hash_sign hello extension.<br>
<br>
</span>I'm not worried by that:-), but I'd like to make the DHE-DSS suites<br>
work. I'll go with the below diff for now, but maybe OTP will fix it<br>
"properly" in some future version?<br>
<br>
--Per<br>
<br>
diff --git a/lib/public_key/asn1/PKCS-1.<wbr>asn1 b/lib/public_key/asn1/PKCS-1.<wbr>asn1<br>
index 117eacd..1df6719 100644<br>
--- a/lib/public_key/asn1/PKCS-1.<wbr>asn1<br>
+++ b/lib/public_key/asn1/PKCS-1.<wbr>asn1<br>
@@ -87,6 +87,12 @@ id-sha512  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)<br>
         nistalgorithm(4) hashalgs(2) 3 }<br>
<br>
<br>
+-- This probably doesn't belong here, but...<br>
+id-dsa-with-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)<br>
+        country(16) us(840) organization(1) gov(101) csor(3)<br>
+        nistalgorithm(4) sigalgs(3) 2 }<br>
+<br>
+<br>
 RSAPublicKey ::= SEQUENCE {<br>
     modulus           INTEGER,  -- n<br>
     publicExponent    INTEGER   -- e<br>
diff --git a/lib/public_key/src/public_<wbr>key.erl b/lib/public_key/src/public_<wbr>key.erl<br>
index 0341266..75305cb 100644<br>
--- a/lib/public_key/src/public_<wbr>key.erl<br>
+++ b/lib/public_key/src/public_<wbr>key.erl<br>
@@ -498,6 +498,8 @@ pkix_sign_types(?'id-dsa-with-<wbr>sha1') -><br>
     {sha, dsa};<br>
 pkix_sign_types(?'id-<wbr>dsaWithSHA1') -><br>
     {sha, dsa};<br>
+pkix_sign_types(?'id-dsa-<wbr>with-sha256') -><br>
+    {sha256, dsa};<br>
 pkix_sign_types(?'ecdsa-with-<wbr>SHA1') -><br>
     {sha, ecdsa};<br>
 pkix_sign_types(?'ecdsa-with-<wbr>SHA256') -><br>
</blockquote></div><br></div></div>