Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove SHA1 default usage #3952

Open
wants to merge 2 commits into
base: 4.9.x
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
package org.wso2.carbon.core.util;

import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.base.api.ServerConfigurationService;
import org.wso2.carbon.core.RegistryResources;
import org.wso2.carbon.core.internal.CarbonCoreDataHolder;
Expand All @@ -31,9 +32,11 @@

public class SignatureUtil {

private static final String THUMB_DIGEST_ALGORITHM = "SHA-1";
private static final String THUMB_DIGEST_ALGORITHM_SHA1 = "SHA-1";
private static final String THUMB_DIGEST_ALGORITHM_SHA256 = "SHA-256";
private static final String signatureAlgorithmSHA1 = "SHA1withRSA";
private static final String signatureAlgorithmSHA256 = "SHA256withRSA";

private static String signatureAlgorithm = "SHA1withRSA";
private static String provider;

private SignatureUtil() {
Expand All @@ -54,7 +57,14 @@ public static void init() throws Exception {
* @throws Exception
*/
public static byte[] getThumbPrintForAlias(String alias) throws Exception {
MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM);

MessageDigest sha;
if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256);
} else {
sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1);
}
sha.reset();
Certificate cert = getCertificate(alias);
sha.update(cert.getEncoded());
Expand All @@ -71,7 +81,14 @@ public static byte[] getThumbPrintForAlias(String alias) throws Exception {
* @throws Exception
*/
public static boolean validateSignature(byte[] thumb, String data, byte[] signature) throws Exception {
Signature signer = Signature.getInstance(signatureAlgorithm, provider);

Signature signer;
if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
} else {
signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
}
signer.initVerify(getPublicKey(thumb));
signer.update(data.getBytes());
return signer.verify(signature);
Expand All @@ -86,7 +103,14 @@ public static boolean validateSignature(byte[] thumb, String data, byte[] signat
* @throws Exception
*/
public static boolean validateSignature(String data, byte[] signature) throws Exception {
Signature signer = Signature.getInstance(signatureAlgorithm, provider);

Signature signer;
if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
} else {
signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
}
signer.initVerify(getDefaultPublicKey());
signer.update(data.getBytes());
return signer.verify(signature);
Expand All @@ -100,7 +124,14 @@ public static boolean validateSignature(String data, byte[] signature) throws Ex
* @throws Exception
*/
public static byte[] doSignature(String data) throws Exception {
Signature signer = Signature.getInstance(signatureAlgorithm, provider);

Signature signer;
if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
} else {
signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
}
signer.initSign(getDefaultPrivateKey());
signer.update(data.getBytes());
return signer.sign();
Expand Down Expand Up @@ -134,7 +165,13 @@ private static PublicKey getPublicKey(byte[] thumb) throws Exception {
KeyStore keyStore = keyStoreMan.getPrimaryKeyStore();
PublicKey pubKey = null;
Certificate cert = null;
MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM);
MessageDigest sha;
if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256);
} else {
sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1);
}
sha.reset();
for (Enumeration<String> e = keyStore.aliases(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@

public class CSRFConstants {
public static final String CSRF_TOKEN = "csrftoken";
public static final String CSRF_TOKEN_PRNG = "SHA1PRNG";
public static final String CSRF_TOKEN_PRNG = "DRBG";

public static final String METHOD_POST = "POST";

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ public class JDBCUserStoreManager extends AbstractUserStoreManager {
private static final String SQL_FILTER_CHAR_ESCAPE = "\\";
public static final String QUERY_BINDING_SYMBOL = "?";
private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername";
private static final String SHA_1_PRNG = "SHA1PRNG";
private static final String RANDOM_ALG_DRBG = "DRBG";

protected DataSource jdbcds = null;
protected Random random = new Random();
Expand Down Expand Up @@ -2654,13 +2654,13 @@ public Date doGetPasswordExpirationTime(String userName) throws UserStoreExcepti
private String generateSaltValue() {
String saltValue = null;
try {
SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
byte[] bytes = new byte[16];
//secureRandom is automatically seeded by calling nextBytes
secureRandom.nextBytes(bytes);
saltValue = Base64.encode(bytes);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("SHA1PRNG algorithm could not be found.");
throw new RuntimeException("DRBG algorithm could not be found.");
}
return saltValue;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ public class UniqueIDJDBCUserStoreManager extends JDBCUserStoreManager {
private static final String QUERY_FILTER_STRING_ANY = "*";
private static final String SQL_FILTER_STRING_ANY = "%";
private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername";
private static final String SHA_1_PRNG = "SHA1PRNG";
private static final String RANDOM_ALG_DRBG = "DRBG";
private static final String DB2 = "db2";
private static final String H2 = "h2";
private static final String MSSQL = "mssql";
Expand Down Expand Up @@ -2118,13 +2118,13 @@ private String generateSaltValue() {

String saltValue;
try {
SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
byte[] bytes = new byte[16];
//secureRandom is automatically seeded by calling nextBytes
secureRandom.nextBytes(bytes);
saltValue = Base64.encode(bytes);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("SHA1PRNG algorithm could not be found.");
throw new RuntimeException("DRBG algorithm could not be found.");
}
return saltValue;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public class SystemUserRoleManager {
private static Log log = LogFactory.getLog(SystemUserRoleManager.class);
int tenantId;
private DataSource dataSource;
private static final String SHA_1_PRNG = "SHA1PRNG";
private static final String RANDOM_ALG_DRBG = "DRBG";

public SystemUserRoleManager(DataSource dataSource, int tenantId) throws UserStoreException {
super();
Expand Down Expand Up @@ -373,13 +373,13 @@ public void addSystemUser(String userName, Object credential,

String saltValue = null;
try {
SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
byte[] bytes = new byte[16];
//secureRandom is automatically seeded by calling nextBytes
secureRandom.nextBytes(bytes);
saltValue = Base64.encode(bytes);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("SHA1PRNG algorithm could not be found.");
throw new RuntimeException("DRBG algorithm could not be found.");
}

String password = this.preparePassword(credentialObj, saltValue);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,7 @@ public static char[] getPolicyFriendlyRandomPasswordInChars(String username, int

try {
// the secure random
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
SecureRandom prng = SecureRandom.getInstance("DRBG");
for (int i = 0; i < length; i++) {
password[i] = passwordChars.charAt(prng.nextInt(passwordFeed.length()));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,8 @@ public static class HTTPConstants {
public static final String BOUNCY_CASTLE_FIPS_PROVIDER_IDENTIFIER = "BCFIPS";
public static final String BOUNCY_CASTLE_FIPS_PROVIDER_CLASS = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
public static final String JCE_PROVIDER_PARAMETER = "security.jce.provider";

public static final String SIGNATURE_UTIL_ENABLE_SHA256_ALGO = "SignatureUtil.EnableSHA256Algo";

public static class Axis2ParameterNames {
public static final String CONTEXT_ROOT = "contextRoot";
public static final String SERVICE_PATH = "servicePath";
Expand Down
5 changes: 5 additions & 0 deletions distribution/kernel/carbon-home/repository/conf/carbon.xml
Original file line number Diff line number Diff line change
Expand Up @@ -721,4 +721,9 @@
</ConfigSync>
</RemoteLogging>

<!-- Configure SignatureUtil algorithms -->
<SignatureUtil>
<EnableSHA256Algo>true</EnableSHA256Algo>
</SignatureUtil>

</Server>
Original file line number Diff line number Diff line change
Expand Up @@ -321,10 +321,10 @@ org.owasp.csrfguard.TokenLength=32
# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
# generator to SHA1PRNG:
# generator to DRBG:
#
# org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG=SHA1PRNG
# org.owasp.csrfguard.PRNG=DRBG
org.owasp.csrfguard.PRNG=DRBG

# Pseudo-random Number Generator Provider

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@
"admin_console.authenticator.mutual_ssl_authenticator.config.WhiteListEnabled": false,
"owasp.csrfguard.create_token_per_page": false,
"owasp.csrfguard.token_length": "32",
"owasp.csrfguard.random_number_generator_algo": "SHA1PRNG",
"owasp.csrfguard.random_number_generator_algo": "DRBG",
"owasp.csrfguard.js_servlet.x_request_with_header": "WSO2 CSRF Protection",
"tomcat.global.session_timeout": "30m",
"tomcat.management_console.session_timeout": "15m",
Expand Down Expand Up @@ -220,6 +220,8 @@
"versioning_configuration.enable_version_resources_on_change" : false,
"sts.callback_handler" : "org.wso2.carbon.identity.sts.common.identity.provider.AttributeCallbackHandler",
"tenant_mgt.enable_tenant_theme_mgt" : true,
"jce_provider.provider_name" : "BC",
"signature_util.enable_sha256_algo" : true,
"clustering.agent": "org.wso2.carbon.hazelcast.HazelcastClusteringAgent",
"remote_logging.config_sync.period": "15"
}
Original file line number Diff line number Diff line change
Expand Up @@ -831,6 +831,11 @@
<!-- Configure password validity period for initially set password -->
<DefaultPasswordValidityPeriod>{{password.default_validity_period}}</DefaultPasswordValidityPeriod>

<!-- Configure SignatureUtil algorithms -->
<SignatureUtil>
<EnableSHA256Algo>{{signature_util.enable_sha256_algo}}</EnableSHA256Algo>
</SignatureUtil>

<RemoteLogging>
<ConfigSync>
<Period>{{remote_logging.config_sync.period}}</Period>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -326,9 +326,9 @@ org.owasp.csrfguard.TokenLength={{owasp.csrfguard.token_length}}
# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
# generator to SHA1PRNG:
# generator to DRBG:
#
# org.owasp.csrfguard.PRNG=SHA1PRNG
# org.owasp.csrfguard.PRNG=DRBG
org.owasp.csrfguard.PRNG={{owasp.csrfguard.random_number_generator_algo}}

# Pseudo-random Number Generator Provider
Expand Down