Remove SHA1 default usage

core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/util/SignatureUtil.java

@@ -18,6 +18,7 @@
 package org.wso2.carbon.core.util;
 
 import org.wso2.carbon.base.MultitenantConstants;
+import org.wso2.carbon.base.ServerConfiguration;
 import org.wso2.carbon.base.api.ServerConfigurationService;
 import org.wso2.carbon.core.RegistryResources;
 import org.wso2.carbon.core.internal.CarbonCoreDataHolder;
@@ -31,9 +32,11 @@
 
 public class SignatureUtil {
 
-    private static final String THUMB_DIGEST_ALGORITHM = "SHA-1";
+    private static final String THUMB_DIGEST_ALGORITHM_SHA1 = "SHA-1";
+    private static final String THUMB_DIGEST_ALGORITHM_SHA256 = "SHA-256";
+    private static final String signatureAlgorithmSHA1 = "SHA1withRSA";
+    private static final String signatureAlgorithmSHA256 = "SHA256withRSA";
 
-    private static String signatureAlgorithm = "SHA1withRSA";
     private static String provider;
 
     private SignatureUtil() {
@@ -54,7 +57,14 @@ public static void init() throws Exception {
      * @throws Exception
      */
     public static byte[] getThumbPrintForAlias(String alias) throws Exception {
-        MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM);
+
+        MessageDigest sha;
+        if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
+                ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
+            sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256);
+        } else {
+            sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1);
+        }
         sha.reset();
         Certificate cert = getCertificate(alias);
         sha.update(cert.getEncoded());
@@ -71,7 +81,14 @@ public static byte[] getThumbPrintForAlias(String alias) throws Exception {
      * @throws Exception
      */
     public static boolean validateSignature(byte[] thumb, String data, byte[] signature) throws Exception {
-        Signature signer = Signature.getInstance(signatureAlgorithm, provider);
+
+        Signature signer;
+        if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
+                ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
+            signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
+        } else {
+            signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
+        }
         signer.initVerify(getPublicKey(thumb));
         signer.update(data.getBytes());
         return signer.verify(signature);
@@ -86,7 +103,14 @@ public static boolean validateSignature(byte[] thumb, String data, byte[] signat
      * @throws Exception
      */
     public static boolean validateSignature(String data, byte[] signature) throws Exception {
-        Signature signer = Signature.getInstance(signatureAlgorithm, provider);
+
+        Signature signer;
+        if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
+                ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
+            signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
+        } else {
+            signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
+        }
         signer.initVerify(getDefaultPublicKey());
         signer.update(data.getBytes());
         return signer.verify(signature);
@@ -100,7 +124,14 @@ public static boolean validateSignature(String data, byte[] signature) throws Ex
      * @throws Exception
      */
     public static byte[] doSignature(String data) throws Exception {
-        Signature signer = Signature.getInstance(signatureAlgorithm, provider);
+
+        Signature signer;
+        if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
+                ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
+            signer = Signature.getInstance(signatureAlgorithmSHA256, provider);
+        } else {
+            signer = Signature.getInstance(signatureAlgorithmSHA1, provider);
+        }
         signer.initSign(getDefaultPrivateKey());
         signer.update(data.getBytes());
         return signer.sign();
@@ -134,7 +165,13 @@ private static PublicKey getPublicKey(byte[] thumb) throws Exception {
         KeyStore keyStore = keyStoreMan.getPrimaryKeyStore();
         PublicKey pubKey = null;
         Certificate cert = null;
-        MessageDigest sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM);
+        MessageDigest sha;
+        if (Boolean.parseBoolean(ServerConfiguration.getInstance().getFirstProperty(
+                ServerConstants.SIGNATURE_UTIL_ENABLE_SHA256_ALGO))) {
+            sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA256);
+        } else {
+            sha = MessageDigest.getInstance(THUMB_DIGEST_ALGORITHM_SHA1);
+        }
         sha.reset();
         for (Enumeration<String> e = keyStore.aliases(); e.hasMoreElements(); ) {
             String alias = e.nextElement();

core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/filters/csrf/CSRFConstants.java

@@ -22,7 +22,7 @@
 
 public class CSRFConstants {
     public static final String CSRF_TOKEN = "csrftoken";
-    public static final String CSRF_TOKEN_PRNG = "SHA1PRNG";
+    public static final String CSRF_TOKEN_PRNG = "DRBG";
 
     public static final String METHOD_POST = "POST";
 

core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java

@@ -104,7 +104,7 @@ public class JDBCUserStoreManager extends AbstractUserStoreManager {
     private static final String SQL_FILTER_CHAR_ESCAPE = "\\";
     public static final String QUERY_BINDING_SYMBOL = "?";
     private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername";
-    private static final String SHA_1_PRNG = "SHA1PRNG";
+    private static final String RANDOM_ALG_DRBG = "DRBG";
 
     protected DataSource jdbcds = null;
     protected Random random = new Random();
@@ -2654,13 +2654,13 @@ public Date doGetPasswordExpirationTime(String userName) throws UserStoreExcepti
     private String generateSaltValue() {
         String saltValue = null;
         try {
-            SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
+            SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
             byte[] bytes = new byte[16];
             //secureRandom is automatically seeded by calling nextBytes
             secureRandom.nextBytes(bytes);
             saltValue = Base64.encode(bytes);
         } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+            throw new RuntimeException("DRBG algorithm could not be found.");
         }
         return saltValue;
     }

core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java

@@ -90,7 +90,7 @@ public class UniqueIDJDBCUserStoreManager extends JDBCUserStoreManager {
     private static final String QUERY_FILTER_STRING_ANY = "*";
     private static final String SQL_FILTER_STRING_ANY = "%";
     private static final String CASE_INSENSITIVE_USERNAME = "CaseInsensitiveUsername";
-    private static final String SHA_1_PRNG = "SHA1PRNG";
+    private static final String RANDOM_ALG_DRBG = "DRBG";
     private static final String DB2 = "db2";
     private static final String H2 = "h2";
     private static final String MSSQL = "mssql";
@@ -2118,13 +2118,13 @@ private String generateSaltValue() {
 
         String saltValue;
         try {
-            SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
+            SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
             byte[] bytes = new byte[16];
             //secureRandom is automatically seeded by calling nextBytes
             secureRandom.nextBytes(bytes);
             saltValue = Base64.encode(bytes);
         } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+            throw new RuntimeException("DRBG algorithm could not be found.");
         }
         return saltValue;
     }

core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/system/SystemUserRoleManager.java

@@ -52,7 +52,7 @@ public class SystemUserRoleManager {
     private static Log log = LogFactory.getLog(SystemUserRoleManager.class);
     int tenantId;
     private DataSource dataSource;
-    private static final String SHA_1_PRNG = "SHA1PRNG";
+    private static final String RANDOM_ALG_DRBG = "DRBG";
 
     public SystemUserRoleManager(DataSource dataSource, int tenantId) throws UserStoreException {
         super();
@@ -373,13 +373,13 @@ public void addSystemUser(String userName, Object credential,
 
             String saltValue = null;
             try {
-                SecureRandom secureRandom = SecureRandom.getInstance(SHA_1_PRNG);
+                SecureRandom secureRandom = SecureRandom.getInstance(RANDOM_ALG_DRBG);
                 byte[] bytes = new byte[16];
                 //secureRandom is automatically seeded by calling nextBytes
                 secureRandom.nextBytes(bytes);
                 saltValue = Base64.encode(bytes);
             } catch (NoSuchAlgorithmException e) {
-                throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+                throw new RuntimeException("DRBG algorithm could not be found.");
             }
 
             String password = this.preparePassword(credentialObj, saltValue);

core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/util/UserCoreUtil.java

@@ -402,7 +402,7 @@ public static char[] getPolicyFriendlyRandomPasswordInChars(String username, int
 
         try {
             // the secure random
-            SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
+            SecureRandom prng = SecureRandom.getInstance("DRBG");
             for (int i = 0; i < length; i++) {
                 password[i] = passwordChars.charAt(prng.nextInt(passwordFeed.length()));
             }

core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/utils/ServerConstants.java

@@ -161,7 +161,8 @@ public static class HTTPConstants {
     public static final String BOUNCY_CASTLE_FIPS_PROVIDER_IDENTIFIER = "BCFIPS";
     public static final String BOUNCY_CASTLE_FIPS_PROVIDER_CLASS = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
     public static final String JCE_PROVIDER_PARAMETER = "security.jce.provider";
-
+    public static final String SIGNATURE_UTIL_ENABLE_SHA256_ALGO = "SignatureUtil.EnableSHA256Algo";
+
     public static class Axis2ParameterNames {
         public static final String CONTEXT_ROOT = "contextRoot";
         public static final String SERVICE_PATH = "servicePath";

distribution/kernel/carbon-home/repository/conf/carbon.xml

@@ -721,4 +721,9 @@
         </ConfigSync>
     </RemoteLogging>
 
+    <!-- Configure SignatureUtil algorithms -->
+    <SignatureUtil>
+        <EnableSHA256Algo>true</EnableSHA256Algo>
+    </SignatureUtil>
+
 </Server>

distribution/kernel/carbon-home/repository/conf/security/Owasp.CsrfGuard.Carbon.properties

@@ -321,10 +321,10 @@ org.owasp.csrfguard.TokenLength=32
 # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
 # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
 # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
-# generator to SHA1PRNG:
+# generator to DRBG:
 #
-# org.owasp.csrfguard.PRNG=SHA1PRNG
-org.owasp.csrfguard.PRNG=SHA1PRNG
+# org.owasp.csrfguard.PRNG=DRBG
+org.owasp.csrfguard.PRNG=DRBG
 
 # Pseudo-random Number Generator Provider
 

distribution/kernel/carbon-home/repository/resources/conf/default.json

@@ -156,7 +156,7 @@
   "admin_console.authenticator.mutual_ssl_authenticator.config.WhiteListEnabled": false,
   "owasp.csrfguard.create_token_per_page": false,
   "owasp.csrfguard.token_length": "32",
-  "owasp.csrfguard.random_number_generator_algo": "SHA1PRNG",
+  "owasp.csrfguard.random_number_generator_algo": "DRBG",
   "owasp.csrfguard.js_servlet.x_request_with_header": "WSO2 CSRF Protection",
   "tomcat.global.session_timeout": "30m",
   "tomcat.management_console.session_timeout": "15m",
@@ -220,6 +220,8 @@
   "versioning_configuration.enable_version_resources_on_change" : false,
   "sts.callback_handler" : "org.wso2.carbon.identity.sts.common.identity.provider.AttributeCallbackHandler",
   "tenant_mgt.enable_tenant_theme_mgt" : true,
+  "jce_provider.provider_name" : "BC",
+  "signature_util.enable_sha256_algo" : true,
   "clustering.agent": "org.wso2.carbon.hazelcast.HazelcastClusteringAgent",
   "remote_logging.config_sync.period": "15"
 }

distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/carbon.xml.j2

@@ -831,6 +831,11 @@
     <!-- Configure password validity period for initially set password -->
     <DefaultPasswordValidityPeriod>{{password.default_validity_period}}</DefaultPasswordValidityPeriod>
 
+    <!-- Configure SignatureUtil algorithms -->
+    <SignatureUtil>
+        <EnableSHA256Algo>{{signature_util.enable_sha256_algo}}</EnableSHA256Algo>
+    </SignatureUtil>
+
     <RemoteLogging>
         <ConfigSync>
       	    <Period>{{remote_logging.config_sync.period}}</Period>

distribution/kernel/carbon-home/repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2

@@ -326,9 +326,9 @@ org.owasp.csrfguard.TokenLength={{owasp.csrfguard.token_length}}
 # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
 # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
 # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
-# generator to SHA1PRNG:
+# generator to DRBG:
 #
-# org.owasp.csrfguard.PRNG=SHA1PRNG
+# org.owasp.csrfguard.PRNG=DRBG
 org.owasp.csrfguard.PRNG={{owasp.csrfguard.random_number_generator_algo}}
 
 # Pseudo-random Number Generator Provider