Skip to content

Commit

Permalink
Replace the cryptographic algorithm by SHA-2
Browse files Browse the repository at this point in the history
The static code scanning analysis detected the usage of MD5 as part of [
MapDeploymentStateProviderFactory](https://github.com/keycloak/keycloak/blob/a6dd9dc0f1605ce0ac2b424df10e15a6eff6ff70/model/map/src/main/java/org/keycloak/models/map/deploymentState/MapDeploymentStateProviderFactory.java#L58-L58).

Even though we could not find any ways of exploiting the code, we should
avoid its usage considering that MD5 is not collision-resistant.

Resolves keycloak#11290
  • Loading branch information
abstractj committed Apr 18, 2022
1 parent 91c1910 commit f9d4566
Showing 1 changed file with 1 addition and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ public void init(Config.Scope config) {
seed = SecretGenerator.getInstance().randomString(10);
}
try {
Version.RESOURCES_VERSION = Base64Url.encode(MessageDigest.getInstance("MD5")
Version.RESOURCES_VERSION = Base64Url.encode(MessageDigest.getInstance("SHA-256")
.digest((seed + new ModelVersion(Version.VERSION_KEYCLOAK).toString()).getBytes()))
.substring(0, 5);
} catch (NoSuchAlgorithmException e) {
Expand Down

0 comments on commit f9d4566

Please sign in to comment.