From e19e482c10e4c8cf137ab81c218a29d067ec8b6a Mon Sep 17 00:00:00 2001 From: Yoshani Date: Tue, 16 May 2023 16:32:03 +0530 Subject: [PATCH 1/2] change sha1 to sha256 --- .../wso2/carbon/core/util/SignatureUtil.java | 51 ++++++++++++++++--- .../wso2/carbon/utils/ServerConstants.java | 3 +- .../carbon-home/repository/conf/carbon.xml | 5 ++ .../repository/resources/conf/default.json | 2 + .../templates/repository/conf/carbon.xml.j2 | 5 ++ 5 files changed, 58 insertions(+), 8 deletions(-) diff --git a/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/util/SignatureUtil.java b/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/util/SignatureUtil.java index d06e7c62db4..dd1108c3314 100644 --- a/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/util/SignatureUtil.java +++ b/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/util/SignatureUtil.java @@ -18,6 +18,7 @@ package org.wso2.carbon.core.util; import org.wso2.carbon.base.MultitenantConstants; +import org.wso2.carbon.base.ServerConfiguration; import org.wso2.carbon.base.api.ServerConfigurationService; import org.wso2.carbon.core.RegistryResources; import org.wso2.carbon.core.internal.CarbonCoreDataHolder; @@ -31,9 +32,11 @@ public class SignatureUtil { - private static final String THUMB_DIGEST_ALGORITHM = "SHA-1"; + private static final String THUMB_DIGEST_ALGORITHM_SHA1 = "SHA-1"; + private static final String THUMB_DIGEST_ALGORITHM_SHA256 = "SHA-256"; + private static final String signatureAlgorithmSHA1 = "SHA1withRSA"; + private static final String signatureAlgorithmSHA256 = "SHA256withRSA"; - private static String signatureAlgorithm = "SHA1withRSA"; private static String provider; private SignatureUtil() { @@ -54,7 +57,14 @@ public static void init() throws Exception { * @throws Exception */ public static byte[] getThumbPrintForAlias(String alias) throws Exception { - MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM); + + MessageDigest sha; + if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty( + ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) { + sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256); + } else { + sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1); + } sha.reset(); Certificate cert = getCertificate(alias); sha.update(cert.getEncoded()); @@ -71,7 +81,14 @@ public static byte[] getThumbPrintForAlias(String alias) throws Exception { * @throws Exception */ public static boolean validateSignature(byte[] thumb, String data, byte[] signature) throws Exception { - Signature signer = Signature.getInstance(signatureAlgorithm, provider); + + Signature signer; + if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty( + ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) { + signer = Signature.getInstance(signatureAlgorithmSHA256, provider); + } else { + signer = Signature.getInstance(signatureAlgorithmSHA1, provider); + } signer.initVerify(getPublicKey(thumb)); signer.update(data.getBytes()); return signer.verify(signature); @@ -86,7 +103,14 @@ public static boolean validateSignature(byte[] thumb, String data, byte[] signat * @throws Exception */ public static boolean validateSignature(String data, byte[] signature) throws Exception { - Signature signer = Signature.getInstance(signatureAlgorithm, provider); + + Signature signer; + if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty( + ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) { + signer = Signature.getInstance(signatureAlgorithmSHA256, provider); + } else { + signer = Signature.getInstance(signatureAlgorithmSHA1, provider); + } signer.initVerify(getDefaultPublicKey()); signer.update(data.getBytes()); return signer.verify(signature); @@ -100,7 +124,14 @@ public static boolean validateSignature(String data, byte[] signature) throws Ex * @throws Exception */ public static byte[] doSignature(String data) throws Exception { - Signature signer = Signature.getInstance(signatureAlgorithm, provider); + + Signature signer; + if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty( + ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) { + signer = Signature.getInstance(signatureAlgorithmSHA256, provider); + } else { + signer = Signature.getInstance(signatureAlgorithmSHA1, provider); + } signer.initSign(getDefaultPrivateKey()); signer.update(data.getBytes()); return signer.sign(); @@ -134,7 +165,13 @@ private static PublicKey getPublicKey(byte[] thumb) throws Exception { KeyStore keyStore = keyStoreMan.getPrimaryKeyStore(); PublicKey pubKey = null; Certificate cert = null; - MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM); + MessageDigest sha; + if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty( + ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) { + sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256); + } else { + sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1); + } sha.reset(); for (Enumeration e = keyStore.aliases(); e.hasMoreElements(); ) { String alias = e.nextElement(); diff --git a/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/utils/ServerConstants.java b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/utils/ServerConstants.java index fb23a5160d8..996b0de9dde 100644 --- a/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/utils/ServerConstants.java +++ b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/utils/ServerConstants.java @@ -161,7 +161,8 @@ public static class HTTPConstants { public static final String BOUNCY_CASTLE_FIPS_PROVIDER_IDENTIFIER = "BCFIPS"; public static final String BOUNCY_CASTLE_FIPS_PROVIDER_CLASS = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"; public static final String JCE_PROVIDER_PARAMETER = "security.jce.provider"; - + public static final String SIGNATURE_UTIL_ENABLE_SHA256_ALGO = "SignatureUtil.EnableSHA256Algo"; + public static class Axis2ParameterNames { public static final String CONTEXT_ROOT = "contextRoot"; public static final String SERVICE_PATH = "servicePath"; diff --git a/distribution/kernel/carbon-home/repository/conf/carbon.xml b/distribution/kernel/carbon-home/repository/conf/carbon.xml index b3eb23bddf2..18651f79c4c 100644 --- a/distribution/kernel/carbon-home/repository/conf/carbon.xml +++ b/distribution/kernel/carbon-home/repository/conf/carbon.xml @@ -721,4 +721,9 @@ + + + true + + diff --git a/distribution/kernel/carbon-home/repository/resources/conf/default.json b/distribution/kernel/carbon-home/repository/resources/conf/default.json index fb2a5368c45..2c304cf5525 100644 --- a/distribution/kernel/carbon-home/repository/resources/conf/default.json +++ b/distribution/kernel/carbon-home/repository/resources/conf/default.json @@ -220,6 +220,8 @@ "versioning_configuration.enable_version_resources_on_change" : false, "sts.callback_handler" : "org.wso2.carbon.identity.sts.common.identity.provider.AttributeCallbackHandler", "tenant_mgt.enable_tenant_theme_mgt" : true, + "jce_provider.provider_name" : "BC", + "signature_util.enable_sha256_algo" : true, "clustering.agent": "org.wso2.carbon.hazelcast.HazelcastClusteringAgent", "remote_logging.config_sync.period": "15" } diff --git a/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/carbon.xml.j2 b/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/carbon.xml.j2 index 0ffca6f4715..04eebd0977a 100644 --- a/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/carbon.xml.j2 +++ b/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/carbon.xml.j2 @@ -831,6 +831,11 @@ {{password.default_validity_period}} + + + {{signature_util.enable_sha256_algo}} + + {{remote_logging.config_sync.period}} From 6533ff1bcbb8cb98c9ad93960bb31c870be73229 Mon Sep 17 00:00:00 2001 From: Yoshani Date: Fri, 19 May 2023 16:57:29 +0530 Subject: [PATCH 2/2] use DRBG instead of SHA1PRNG --- .../java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java | 2 +- .../wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java | 6 +++--- .../carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java | 6 +++--- .../wso2/carbon/user/core/system/SystemUserRoleManager.java | 6 +++--- .../java/org/wso2/carbon/user/core/util/UserCoreUtil.java | 2 +- .../conf/security/Owasp.CsrfGuard.Carbon.properties | 6 +++--- .../carbon-home/repository/resources/conf/default.json | 2 +- .../conf/security/Owasp.CsrfGuard.Carbon.properties.j2 | 4 ++-- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java b/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java index 31a56dc1a01..bbd076fa380 100644 --- a/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java +++ b/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java @@ -22,7 +22,7 @@ public class CSRFConstants { public static final String CSRF_TOKEN = "csrftoken"; - public static final String CSRF_TOKEN_PRNG = "SHA1PRNG"; + public static final String CSRF_TOKEN_PRNG = "DRBG"; public static final String METHOD_POST = "POST"; diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java index e9bead5758f..44edd3c6723 100644 --- a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java +++ b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java @@ -104,7 +104,7 @@ public class JDBCUserStoreManager extends AbstractUserStoreManager { private static final String SQL_FILTER_CHAR_ESCAPE = "\\"; public static final String QUERY_BINDING_SYMBOL = "?"; private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername"; - private static final String SHA_1_PRNG = "SHA1PRNG"; + private static final String RANDOM_ALG_DRBG = "DRBG"; protected DataSource jdbcds = null; protected Random random = new Random(); @@ -2654,13 +2654,13 @@ public Date doGetPasswordExpirationTime(String userName) throws UserStoreExcepti private String generateSaltValue() { String saltValue = null; try { - SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG); + SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG); byte[] bytes = new byte[16]; //secureRandom is automatically seeded by calling nextBytes secureRandom.nextBytes(bytes); saltValue = Base64.encode(bytes); } catch (NoSuchAlgorithmException e) { - throw new RuntimeException("SHA1PRNG algorithm could not be found."); + throw new RuntimeException("DRBG algorithm could not be found."); } return saltValue; } diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java index 15e1564489e..01b298e08db 100644 --- a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java +++ b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java @@ -90,7 +90,7 @@ public class UniqueIDJDBCUserStoreManager extends JDBCUserStoreManager { private static final String QUERY_FILTER_STRING_ANY = "*"; private static final String SQL_FILTER_STRING_ANY = "%"; private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername"; - private static final String SHA_1_PRNG = "SHA1PRNG"; + private static final String RANDOM_ALG_DRBG = "DRBG"; private static final String DB2 = "db2"; private static final String H2 = "h2"; private static final String MSSQL = "mssql"; @@ -2118,13 +2118,13 @@ private String generateSaltValue() { String saltValue; try { - SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG); + SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG); byte[] bytes = new byte[16]; //secureRandom is automatically seeded by calling nextBytes secureRandom.nextBytes(bytes); saltValue = Base64.encode(bytes); } catch (NoSuchAlgorithmException e) { - throw new RuntimeException("SHA1PRNG algorithm could not be found."); + throw new RuntimeException("DRBG algorithm could not be found."); } return saltValue; } diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/system/SystemUserRoleManager.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/system/SystemUserRoleManager.java index 1a19a98cea2..9440e5b7bae 100644 --- a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/system/SystemUserRoleManager.java +++ b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/system/SystemUserRoleManager.java @@ -52,7 +52,7 @@ public class SystemUserRoleManager { private static Log log = LogFactory.getLog(SystemUserRoleManager.class); int tenantId; private DataSource dataSource; - private static final String SHA_1_PRNG = "SHA1PRNG"; + private static final String RANDOM_ALG_DRBG = "DRBG"; public SystemUserRoleManager(DataSource dataSource, int tenantId) throws UserStoreException { super(); @@ -373,13 +373,13 @@ public void addSystemUser(String userName, Object credential, String saltValue = null; try { - SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG); + SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG); byte[] bytes = new byte[16]; //secureRandom is automatically seeded by calling nextBytes secureRandom.nextBytes(bytes); saltValue = Base64.encode(bytes); } catch (NoSuchAlgorithmException e) { - throw new RuntimeException("SHA1PRNG algorithm could not be found."); + throw new RuntimeException("DRBG algorithm could not be found."); } String password = this.preparePassword(credentialObj, saltValue); diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/util/UserCoreUtil.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/util/UserCoreUtil.java index 6ea06fa960e..8abd36f39c2 100644 --- a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/util/UserCoreUtil.java +++ b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/util/UserCoreUtil.java @@ -402,7 +402,7 @@ public static char[] getPolicyFriendlyRandomPasswordInChars(String username, int try { // the secure random - SecureRandom prng = SecureRandom.getInstance("SHA1PRNG"); + SecureRandom prng = SecureRandom.getInstance("DRBG"); for (int i = 0; i < length; i++) { password[i] = passwordChars.charAt(prng.nextInt(passwordFeed.length())); } diff --git a/distribution/kernel/carbon-home/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/distribution/kernel/carbon-home/repository/conf/security/Owasp.CsrfGuard.Carbon.properties index ee7f6e152b0..48b3f337193 100644 --- a/distribution/kernel/carbon-home/repository/conf/security/Owasp.CsrfGuard.Carbon.properties +++ b/distribution/kernel/carbon-home/repository/conf/security/Owasp.CsrfGuard.Carbon.properties @@ -321,10 +321,10 @@ org.owasp.csrfguard.TokenLength=32 # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number -# generator to SHA1PRNG: +# generator to DRBG: # -# org.owasp.csrfguard.PRNG=SHA1PRNG -org.owasp.csrfguard.PRNG=SHA1PRNG +# org.owasp.csrfguard.PRNG=DRBG +org.owasp.csrfguard.PRNG=DRBG # Pseudo-random Number Generator Provider diff --git a/distribution/kernel/carbon-home/repository/resources/conf/default.json b/distribution/kernel/carbon-home/repository/resources/conf/default.json index 2c304cf5525..6667f72929d 100644 --- a/distribution/kernel/carbon-home/repository/resources/conf/default.json +++ b/distribution/kernel/carbon-home/repository/resources/conf/default.json @@ -156,7 +156,7 @@ "admin_console.authenticator.mutual_ssl_authenticator.config.WhiteListEnabled": false, "owasp.csrfguard.create_token_per_page": false, "owasp.csrfguard.token_length": "32", - "owasp.csrfguard.random_number_generator_algo": "SHA1PRNG", + "owasp.csrfguard.random_number_generator_algo": "DRBG", "owasp.csrfguard.js_servlet.x_request_with_header": "WSO2 CSRF Protection", "tomcat.global.session_timeout": "30m", "tomcat.management_console.session_timeout": "15m", diff --git a/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2 b/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2 index 7713ddadb50..2d51d5ce506 100644 --- a/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2 +++ b/distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2 @@ -326,9 +326,9 @@ org.owasp.csrfguard.TokenLength={{owasp.csrfguard.token_length}} # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number -# generator to SHA1PRNG: +# generator to DRBG: # -# org.owasp.csrfguard.PRNG=SHA1PRNG +# org.owasp.csrfguard.PRNG=DRBG org.owasp.csrfguard.PRNG={{owasp.csrfguard.random_number_generator_algo}} # Pseudo-random Number Generator Provider