-
Bug
-
Resolution: Done
-
Critical
-
1.1.0.CR2
-
None
Only MD5 and SHA-1 hash algorithms are valid in OneTimePasswordImpl.
/subsystem=elytron/filesystem-realm=a:read-operation-description(name=set-password)
"otp" => { "type" => OBJECT, "description" => "A one-time password, used by the OTP SASL mechanism.", "expressions-allowed" => false, "required" => false, "nillable" => true, "value-type" => { "algorithm" => { "type" => STRING, "description" => "The algorithm used to encrypt the password.", "expressions-allowed" => false, "required" => false, "nillable" => true, "default" => "otp-sha1", "allowed" => [ "otp-md5", "otp-sha1" ] }, "hash" => { "type" => STRING, "description" => "The hash represented by this password.", "expressions-allowed" => true, "required" => true, "nillable" => false, "min-length" => 1L, "max-length" => 2147483647L }, "seed" => { "type" => STRING, "description" => "The seed used to generate the hash.", "expressions-allowed" => true, "required" => true, "nillable" => false, "min-length" => 1L, "max-length" => 2147483647L }, "sequence" => { "type" => INT, "description" => "The sequence number used to generate the hash.", "expressions-allowed" => true, "required" => true, "nillable" => false } } }
Extend list to more secure hash algorithms, e.g. digest-sha-256 digest-sha-512?
For example MD5 is not allowed in FIPS mode [1]. Although SHA-1 is, it is generally considered to be not secure anymore.
[1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
- clones
-
JBEAP-12113 OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms
- Closed