Details
-
Enhancement
-
Resolution: Unresolved
-
Major
-
4.7.0.Final
-
None
-
Undefined
Description
Looked at the MessageBodyReader/Writer or other components which uses SHA1 , deprecate or upgrade to use other algorithm. Currently there are couple of Resteasy classes import SHA1 :
./security/jose-jwt/src/main/java/org/jboss/resteasy/jose/jwe/crypto/DirectEncrypter.java: randomGen = SecureRandom.getInstance("SHA1PRNG"); ./security/resteasy-crypto/src/main/java/org/jboss/resteasy/security/SigningAlgorithm.java: public static SigningAlgorithm SHA1withRSA = new SigningAlgorithm("rsa-sha1", "SHA1withRSA", "sha-1"); ./security/resteasy-crypto/src/main/java/org/jboss/resteasy/security/smime/MultipartSignedWriter.java: SignerInfoGenerator signer = new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA1WITHRSA", out.getPrivateKey(), out.getCertificate()); ./security/resteasy-crypto/src/main/java/org/jboss/resteasy/security/smime/PKCS7SignatureWriter.java: ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(out.getPrivateKey());