Search code examples
encryptionopenamopensso

Does OPENAM support SHA-256 encryption

As per my knowledge and research which i have done over the internet, it seems that currently OPENAM does not support SHA-256 encryption. I am using SAML authentication in my project, and currently using old openfed jar which does not support the SHA 256 encryption. I went through the latest jar also and found that openam does not support it. FYI .. Following is the snippet of QuerySignatureUtil.java :

final String querySigAlg;
    final String alg = privateKey.getAlgorithm();
    switch (alg) {
        case "RSA":
            //Defaulting to RSA-SHA1 for the sake of interoperability
            querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_RSA,
                    XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
            break;
        case "DSA":
            //Defaulting to SHA1WithDSA as JDK7 does not support SHA256WithDSA
            querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_DSA,
                    XMLSignature.ALGO_ID_SIGNATURE_DSA);
            break;
        case "EC":
            querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_EC,
                    XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA512);
            break;
        default:
            SAML2Utils.debug.error(classMethod + "Private Key algorithm not supported: " + alg);
            throw new SAML2Exception(SAML2Utils.bundle.getString("algorithmNotSupported"));
    }

While going through the internet i have found the ticket https://bugster.forgerock.org/jira/browse/OPENAM-8627

But it seems that it was done only for .NET fedlet.

Can someone

Solution

  • Well firstly, SHA-256 is not an encryption algorithm.

    Digital signatures can use SHA256 as digest algorithm, yes. As you can see in the source of the QuerySignatureUtil, the actual algorithm is now configurable and can take lots of different values. The configuration retrieval is done with the SystemPropertiesManager calls in your snippet, and the config can come from two places:

    • For fedlet: the properties should be defined in FederationConfig.properties.
    • For the OpenAM server, the settings can be found under the Common Federation Configuration in the Global settings.

    If you want to take a look at the digital signature implementation, then there are two classes of interest:

    • FMSigProvider: this class deals with proper XML signatures, all the digital signatures will be part of the XML document as per xmldsig spec.
    • QuerySignatureUtil: this class mainly deals with querystring signing, which has different set of rules than regular XML signatures. In this case the signature will not be part of the signed XML document, instead the signature will be put on the query string. The SAML binding spec that describes the HTTP-Redirect binding discusses this in more details.

    If you want to control the DigestMethod value within the digital signature, then you need to have a look at OPENAM-7778, that was implemented in 13.5.0.

    If you want to encrypt SAML messages using 256 bit encryption algorithms, then you will need to install the JCE jurisdiction files, after that, you should be able to configure http://www.w3.org/2001/04/xmlenc#aes256-cbc as XML encryption algorithm.