Remove SHA1 default usage in product IS

Describe the issue:

The default behavior of our products uses SHA1 which is no longer considered as secure. It needs to be updated to SHA256 or higher.

pasted image 0 (1)

Please refer to the following extracts from the spec:

SHA1 - Digest Algorithm: "SHA-1 is the only digest algorithm defined in [XMLDSIG-CORE] and is mandatory to implement in that specification and in [XMLENC-CORE]. Use of SHA-1 is discouraged in [XMLDSIG-CORE1] and [XMLENC-CORE1] both of which mandate SHA-256 as mandatory to implement and offer a number of other optional SHA algorithms." [2]

RSA-SHA1 - Signature Algorithm: "Implementation of this algorithm is recommended in [[XMLDSIG-CORE2002](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE2002)] and [[XMLDSIG-CORE](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE)]. Use of this algorithm for signature generation is discouraged [[XMLDSIG-CORE1](https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1)]." [3]

In addition, documentation updates need to be carried out with regards to the above update and on pages [4] and [5] in the following sentence we should at least recommend using SHA-256.

"If you just configure as SHA, It is considered as SHA-1, It is always better to configure algorithm with higher bit value as digest bit size would be increased."

[1] https://is.docs.wso2.com/en/latest/guides/login/saml-app-config-advanced/#response-digest-algorithm

[2] https://www.w3.org/TR/xmlsec-algorithms/#sha

[3] https://www.w3.org/TR/xmlsec-algorithms/#RSA

[4] https://is.docs.wso2.com/en/latest/deploy/configure-a-read-write-ldap-user-store/#properties-used-in-read-write-ldap-userstore-manager

[5] https://is.docs.wso2.com/en/latest/deploy/configure-a-read-write-active-directory-user-store/#properties-used-in-read-write-active-directory-userstore-manager

wso2 / product-is

Remove SHA1 default usage in product IS #15793

Related PRs

Migration Issue

Documentation