Affects Version/s: Trunk
Fix Version/s: None
Sprint:Bug Crush Event - 21/2/2015
While working on
OFBIZ-10427, I noticed that HashCrypt::cryptBytes uses "SHA" as default hashType (aka algorithm in JDK jargon)
HashCrypt::cryptBytes is notably used by GenericEntity::toString
But if I refer to the "current" documentation https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest
I can't find any "SHA" algorithm. Even in https://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA which I guess corresponds to the date of HashCrypt code.
Trying MessageDigest.getInstance("SHA") returns a MessageDigest with a digestSpi.algorithm value of "SHA-1"
Curious I tried HashCrypt.cryptBytes(null, null, "test".getBytes()) and got
So it works, but obviously use SHA1 and we know SHA1 is insecure.
So I suggest to replace in HashCrypt::cryptBytes the default by "SHA-512"
After having a look at both code and related articles (below). I found it's not as easy as I thought, because we need to take into account legacy and transition for users.
I conclude that it's something we should do without lagging but not ASAP.