Configuring Security Hash Algorithm (SHA) versions
Overview
CONNECT provides a basic feature to more easily select SHA versions to use for initiating and accepting requests. Available SHA versions are based on the versions supported by CXF and OpenSAML.
CXF and OpenSAML
Latest CONNECT release (5.3) leverages CXF 3.1.9 and OpenSAML 3.1.1
Specifying SHA versions
SHA versions supported by OpenSAML and CXF can be specified in saml.properties in the CONNECT properties directory. Note that while multiple versions can be specified, a default must also be specified and can be overridden in the entity request (described in section Overriding default SHA version ). Make sure the properties include backslash after comma. Refer to sample entries in saml.properties
- saml.digestAlgorithms - comma separated list of SignatureConstants/URIs, of the desired digest algorithms to support
- saml.signatureAlgorithms - comma separated list of SignatureConstants/URIs, of the desired signature algorithms to support
- saml.defaultDigestAlgorithm - default digest algorithm to use if an override is not provided in the entity message. Defaults to SHA1 if not set.
- saml.defaultSignatureAlgorithm - default signature algorithm to use if an override is not provided in the entity message. Defaults to RSA-SHA1 if not set.
See https://github.com/apigee/java-xmltooling/blob/master/src/main/java/org/opensaml/xml/signature/SignatureConstants.java for all supported SHA versions.
saml.signatureAlgorithms=ALGO_ID_SIGNATURE_RSA_SHA512\,ALGO_ID_SIGNATURE_RSA_SHA1\,ALGO_ID_SIGNATURE_RSA_SHA256 saml.digestAlgorithms=ALGO_ID_DIGEST_SHA512\,ALGO_ID_DIGEST_SHA1\,ALGO_ID_DIGEST_SHA256 saml.defaultSignatureAlgorithm=ALGO_ID_SIGNATURE_RSA_SHA1 saml.defaultDigestAlgorithm=ALGO_ID_DIGEST_SHA1
Overriding default SHA version
Once a list of allowable SHA versions and a default has been specified, a specific version from the allowable list can be specified in the entity request. An example algorithm override follows:
<urn:assertion> <urn1:signatureAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</urn1:signatureAlgorithm> <urn1:digestAlgorithm>http://www.w3.org/2001/04/xmlenc#sha256</urn1:digestAlgorithm> <urn1:homeCommunity> <urn1:description>${#Project#LocalHCDescription}</urn1:description> <urn1:homeCommunityId>${#Project#LocalHCID}</urn1:homeCommunityId> <urn1:name>${#Project#LocalHCDescription}</urn1:name> </urn1:homeCommunity>
Responding gateways
All versions specified in saml.signatureAlgortihms and saml.digestAlgorithms can be accepted by a responding CONNECT gateway
saml.signatureAlgorithms=ALGO_ID_SIGNATURE_RSA_SHA512\,ALGO_ID_SIGNATURE_RSA_SHA1\,ALGO_ID_SIGNATURE_RSA_SHA256 saml.digestAlgorithms=ALGO_ID_DIGEST_SHA512\,ALGO_ID_DIGEST_SHA1\,ALGO_ID_DIGEST_SHA256