[Migration] Update usages of SHA1 to SHA256

[Yoshani]

Describe the issue: The usages of SHA1 in the product have been changed to SHA256. Following this improvement, the below migration impacts can be listed.

1. SAML 2.0 Web SSO in Enterprise Identity Federation : Signature Algorithm and Digest Algorithm. Newly created SAML IdPs will have SHA256 based signing and digest algorithms listed by default.
2. SAML 2.0 Web SSO Configuration in Inbound Authentication Configuration : Response Signing Algorithm and Response Digest Algorithm. Newly created SAML SPs will have SHA256 based signing and digest algorithms listed by default.
3. IdentityUtil - usages in deprecated OpenId 2.0 implementations: getPPIDDisplayValue() method used for getting the PPID display value, getHMAC() for generating tokens, generateUUID() for generating cookies. To revert this behavior, use the following deployment.toml config.

   [identity_util]
   enable_sha256= false

4. Certificate thumbprint generation with generateThumbPrint() method in IdentityApplicationManagementUtil.java

   [cert_thumbprint]
   enable_sha256=false

5. Default values of Signature Algorithm and Digest Algorithm returned by SAML meta endpoint: https://localhost:9443/api/server/v1/applications/meta/inbound-protocols/saml will be changed.
6. The default signing and digest algorithms of Passive STS response would change for all existing apps. The following config can be used to revert back to SHA1-based signing and digest algorithms in Passive STS response.

   [sts]
   signature_algorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
   digest_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"

7. New SAML SPs created using an xml metadata file will have signing and digest algorithms set to SHA-256 algorithms. To revert this behaviour, use the following config.

   [saml]
   metadata.sp_enable_sha256= false

8. Downloaded SAML IdP metadata will be signed with the new (hard-coded) algorithm. To revert this behaviour, use the following config.

   [saml]
   metadata.idp_enable_sha256= false

9. Client secrets generated for newly created OIDC SPs will be generated using HMACSHA256 algorithm and will have longer lengths due to the algorithm change. To revert this behavior, use the following deployment.toml config.

   [oauth]
   enable_sha256= false

10. Jwk ThumbPrint will be generated using SHA 256. To revert this behavior, use the following deployment.toml config.

    [oauth]
    jwk_thumbprint_enable_sha256= false

11. The salt value for Session State Parameter in OIDC flow will be generated using DRBG Secure Random algorithm instead of SHA1PRNG.
12. CSRF token will be generated using DRBG algorithm instead of SHA1PRNG.
13. Password salts will be generated using DRBG algorithm instead of SHA1PRNG.
14. Signing, validation and thumbprint generation in the context of auto-login cookies will be done using SHA256-based algorithms. To revert this behavior, use the following deployment.toml configuration.

    [signature_util]
    enable_sha256_algo= false

15. User account association key in Associated Accounts API (https://is.docs.wso2.com/en/latest/apis/association-rest-api/) will be generated using HMAC SHA256. The new user account association key length will be longer (44) than the previous (28). To revert the above behavior, use the following deployment.toml config.

    [user_account_association]
    enable_sha256= false

16. OTPs in SMS-OTP and Email-OTP will be generated using HMACSHA256, and the random number used as the secret value will be generated using DRBG algorithm.

Related PRs:

• PR https://github.com/wso2/carbon-identity-framework/pull/4567
• PR https://github.com/wso2-extensions/identity-outbound-auth-samlsso/pull/162
• PR https://github.com/wso2-extensions/identity-inbound-auth-sts/pull/136
• PR https://github.com/wso2-extensions/identity-metadata-saml2/pull/85
• PR https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2076
• PR https://github.com/wso2/carbon-kernel/pull/3574
• PR https://github.com/wso2-extensions/identity-user-account-association/pull/47
• PR https://github.com/wso2-enterprise/asgardeo-website/pull/639
• PR https://github.com/wso2-extensions/identity-governance/pull/707
• PR https://github.com/wso2-extensions/identity-inbound-auth-openid/pull/92
• PR https://github.com/wso2-extensions/identity-outbound-auth-sms-otp/pull/173
• PR https://github.com/wso2-extensions/identity-outbound-auth-email-otp/pull/157
• PR https://github.com/wso2/carbon-kernel/pull/3737
• PR https://github.com/wso2/carbon-identity-framework/pull/5244

[ZiyamSanthosh]

In addition to the above mentioned content, a usage of SHA1 was identified in mutual ssl authenticator. SHA1 was being used to generate thumbprints for the client certificates in mutual ssl authenticator. Now, it has been changed to SHA256 by default. The below mentioned configuration can be used to revert the new behaviour to use SHA1 as before.

[admin_console.authenticator.mutual_ssl_authenticator.config]
enableSHA256 = false

Related PRs:

• https://github.com/wso2-extensions/identity-carbon-auth-mutual-ssl/pull/26
• https://github.com/wso2/carbon-kernel/pull/3849