On Fri, 9 Apr 2021 17:23:05 GMT, Sean Mullan <[email protected]> wrote:
>> src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/SignatureBaseRSA.java
>> line 588:
>>
>>> 586:
>>> 587: public enum DigestAlgorithm {
>>> 588: // SHA1("SHA-1", DigestMethod.SHA1, 20),
>>
>> Do we want to support "SHA-1"? It's considered weak and not the default but
>> the RFC has not disabled it. Since we already have secure validation on by
>> default, it does seem to be a security issue.
>>
>> The "RSASSA-PSS without Parameters" section at
>> https://tools.ietf.org/html/rfc6931#section-2.3.10 also lists SHA-224 and
>> SHA3-**. We should probably support them as well, or at least make sure we
>> support the same algorithms in "without Parameters" and "with Parameters".
>
> I'm ok with not supporting SHA-1, although adding it would not be a security
> issue. It is blocked by default now, but it can be re-enabled, and SHA-1 in
> general is still available in the JDK.
>
> I'm fine with adding support for SHA-224 and SHA-3 as part of this issue. You
> can add support for all the algorithms that we have the underlying crypto
> support for.
Not sure if I got it, are you OK with adding SHA-1? It must be listed here to
be supported.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3181
