Security scan shows use of SHA-1 in Utils class in AM (All versions)
The purpose of this article is to provide information to help you understand why a security/vulnerability scan shows the use of SHA-1 in the Utils class in AM, specifically referring to org.forgerock.oauth2.core.Utils#getKid.
1 reader recommends this article
Some security or vulnerability scans may flag the use of SHA-1 (an insecure hashing algorithm) in the utils.java class, with specific reference to the org.forgerock.oauth2.core.Utils#getKid method.
The Utils class in OAuth2 uses SHA-1 to create an identifier (kid value) based on the hash of the public key (
org.forgerock.oauth2.core.Utils#getKid). There are no security implications to this SHA-1 usage since no secret or confidential information is hashed during this process.
Changing the hash algorithm would invalidate previously signed or encrypted material such as stateless OAuth2 access tokens, OpenID Connect ID tokens and other security tokens.
Reports of this particular use of SHA-1 can be safely ignored.
Related Issue Tracker IDs