Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
The default behavior of our products uses SHA1 which is no longer considered as secure. It needs to be updated to SHA256 or higher.
Please refer to the following extracts from the spec:
SHA1 - Digest Algorithm: "SHA-1 is the only digest algorithm defined in [XMLDSIG-CORE] and is mandatory to implement in that specification and in [XMLENC-CORE]. Use of SHA-1 is discouraged in [XMLDSIG-CORE1] and [XMLENC-CORE1] both of which mandate SHA-256 as mandatory to implement and offer a number of other optional SHA algorithms." [2]
RSA-SHA1 - Signature Algorithm: "Implementation of this algorithm is recommended in [[XMLDSIG-CORE2002](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE2002)] and [[XMLDSIG-CORE](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE)]. Use of this algorithm for signature generation is discouraged [[XMLDSIG-CORE1](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1)]." [3]
In addition, documentation updates need to be carried out with regards to the above update and on pages [4] and [5] in the following sentence we should at least recommend using SHA-256.
"If you just configure as SHA, It is considered as SHA-1, It is always better to configure algorithm with higher bit value as digest bit size would be increased."
Describe the issue:
The default behavior of our products uses SHA1 which is no longer considered as secure. It needs to be updated to SHA256 or higher.
Please refer to the following extracts from the spec:
SHA1 - Digest Algorithm: "SHA-1 is the only digest algorithm defined in [XMLDSIG-CORE] and is mandatory to implement in that specification and in [XMLENC-CORE]. Use of SHA-1 is discouraged in [XMLDSIG-CORE1] and [XMLENC-CORE1] both of which mandate SHA-256 as mandatory to implement and offer a number of other optional SHA algorithms."
[2]RSA-SHA1 - Signature Algorithm: "Implementation of this algorithm is recommended in [[XMLDSIG-CORE2002](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE2002)] and [[XMLDSIG-CORE](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE)]. Use of this algorithm for signature generation is discouraged [[XMLDSIG-CORE1](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1)]."
[3]In addition, documentation updates need to be carried out with regards to the above update and on pages [4] and [5] in the following sentence we should at least recommend using SHA-256.
"If you just configure as SHA, It is considered as SHA-1, It is always better to configure algorithm with higher bit value as digest bit size would be increased."
[1] https://is.docs.wso2.com/en/latest/guides/login/saml-app-config-advanced/#response-digest-algorithm
[2] https://www.w3.org/TR/xmlsec-algorithms/#sha
[3] https://www.w3.org/TR/xmlsec-algorithms/#RSA
[4] https://is.docs.wso2.com/en/latest/deploy/configure-a-read-write-ldap-user-store/#properties-used-in-read-write-ldap-userstore-manager
[5] https://is.docs.wso2.com/en/latest/deploy/configure-a-read-write-active-directory-user-store/#properties-used-in-read-write-active-directory-userstore-manager