Skip to content

fix: use SHA256 as default signing algorithm instead of SHA1#104

Merged
william-suppo merged 1 commit into
masterfrom
fix/sha256-default-signing-algorithm
Jun 26, 2026
Merged

fix: use SHA256 as default signing algorithm instead of SHA1#104
william-suppo merged 1 commit into
masterfrom
fix/sha256-default-signing-algorithm

Conversation

@william-suppo

Copy link
Copy Markdown
Contributor

Summary

  • Change default signing algorithm from RSA_SHA1 to RSA_SHA256 in KeyHelper::createPrivateKey()
  • Change default digest algorithm from SHA1 to SHA256 in SignatureWriter
  • Update tests to reflect the new SHA256 defaults

Context

OpenSSL 3.x (shipped with Ubuntu 22.04+, Debian 12+) disables SHA1 by default. When using the library defaults, signing an AuthnRequest would fail with a cryptic error:

Fatal error: Uncaught Exception: Failure Signing Data: error:0480006C:PEM routines::no start line

The workaround found by users was to set putenv('OPENSSL_ENABLE_SHA1_SIGNATURES=1'), which re-enables the deprecated SHA1 algorithm — a poor security practice.

This fix makes SHA256 the default so signing works out of the box on modern systems.

Closes #90

OpenSSL 3.x (shipped with Ubuntu 22.04+, Debian 12+) disables SHA1 by
default, causing a cryptic "no start line" error when attempting to sign
SAML requests with the library defaults.

Change the default algorithm from RSA_SHA1 to RSA_SHA256 in
KeyHelper::createPrivateKey() and SignatureWriter, so that signing works
out of the box on modern systems without requiring the
OPENSSL_ENABLE_SHA1_SIGNATURES workaround.

Fixes #90
@william-suppo william-suppo merged commit fba564b into master Jun 26, 2026
9 checks passed
@william-suppo william-suppo deleted the fix/sha256-default-signing-algorithm branch June 26, 2026 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Attempting to Sign a AuthnRequest I Always Receive a Fatal Error

1 participant