You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2017/03/13 10:44:04 UTC

[jira] [Created] (SLING-6638) Vault Package Builder should not allow SHA1, MD5 digest algorithm

Timothee Maret created SLING-6638:
-------------------------------------

             Summary: Vault Package Builder should not allow SHA1, MD5 digest algorithm
                 Key: SLING-6638
                 URL: https://issues.apache.org/jira/browse/SLING-6638
             Project: Sling
          Issue Type: Bug
          Components: Content Distribution
    Affects Versions: Content Distribution Core 0.2.6
            Reporter: Timothee Maret
             Fix For: Content Distribution Core 0.2.8


The {{VaultDistributionPackageBuilderFactory} [0] proposes the MD5, MD2 and SHA-1 algorithms, for which collisions could realistically be forged.

SCD makes use of those algorithm for error detection (like a CRC) and not for security. Despite that, we should deprecate the use of those algorithms IMO.

I propose to remove the three algorithms form the list of proposals, and throw and exception if a non supported algorithm is used. The component end up not being activated unless the configuration is corrected. 


[0] https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)