-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SHA1 is broken #19
Comments
That's just for signing, not for the actual encryption of the assertion. The provider is the one that decides the encryption scheme. |
Thank you for the quick response. That makes sense, but in the readme there seems to be a contradiction.
Then a little farther down in the readme:
The property privateCert seems to be used for both signing and decrypting? This is the root of my confusion. If the first statement is true then the private key being used to decrypt the SAML must be using SHA1. Rereading it now though I think that there must be a mistake in the readme? The property can't be used to both sign the SAML requests and decrypt the SAML responses, can it? If it is then doesn't that mean that the SAML is encrypted using SHA1? |
According the the README passport-saml-encrypted uses RSA-SHA1 to encrypt SAML. Since SHA1 has been broken for quite some time now https://www.schneier.com/blog/archives/2005/02/sha1_broken.html. Are there plans to update the code to use a hash algorithm from SHA2?
The text was updated successfully, but these errors were encountered: