Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Security scan shows use of SHA-1 in Utils class in AM (All versions)

Last updated Apr 13, 2021

The purpose of this article is to provide information to help you understand why a security/vulnerability scan shows the use of SHA-1 in the Utils class in AM, specifically referring to org.forgerock.oauth2.core.Utils#getKid.


1 reader recommends this article

Symptoms

Some security or vulnerability scans may flag the use of SHA-1 (an insecure hashing algorithm) in the utils.java class, with specific reference to the org.forgerock.oauth2.core.Utils#getKid method.

Recent Changes

N/A

Causes

The Utils class in OAuth2 uses SHA-1 to create an identifier (kid value) based on the hash of the public key (org.forgerock.oauth2.core.Utils#getKid). There are no security implications to this SHA-1 usage since no secret or confidential information is hashed during this process.

Note

Changing the hash algorithm would invalidate previously signed or encrypted material such as stateless OAuth2 access tokens, OpenID Connect ID tokens and other security tokens.

Solution

Reports of this particular use of SHA-1 can be safely ignored.

See Also

N/A

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.