search

appmattus / certificatetransparency

Certificate transparency for Android and JVM
Apache License 2.0
142 stars 29 forks source link

Use of sha1Hash in certificatetransparency library #94

Closed deepesh-vasthimal-cko closed 1 year ago

deepesh-vasthimal-cko commented 1 year ago

Hi Team

What is the use of this function in certificate transparency which uses the SHA-1() function refer line [PublicKeyExt.kt line 31](https://github.com/appmattus/certificatetransparency/blob/1c604a3066c29aca957d05bfcba9796ba0a1e254/certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/utils/PublicKeyExt.kt#L24)

We believe it uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously thought-safe hash functions such as MD5. If this algorithm is used to hash passwords, consider using a strong computationally-hard algorithm such as PBKDF2 or encrypt instead of a plain hashing algorithm.

Can you please confirm and help me understand the purpose of the PublicKey.sha1Hash() and its usage?

Thanks Deepesh

mattmook commented 1 year ago

This is dead code and I will remove it shortly

mattmook commented 1 year ago

Fixed/removed in v2.5.0