signature validation stage should allow algorithm blacklisting
Fixed
Description fields
Basics
Logistics
Basics
Logistics
Description
The signature validation stage relies on Santuario to validate signatures and makes no check as to the digest and signature mechanisms used.
The code I imported from XmlSecTool for https://shibboleth.atlassian.net/browse/MDA-112#icft=MDA-112 includes algorithm blacklist functionality; it would be useful to surface this in Set<String> properties of the signature validation stage so that defunct algorithms like MD5 (and one day SHA-1) can be excluded.
The signature validation stage relies on Santuario to validate signatures and makes no check as to the digest and signature mechanisms used.
The code I imported from XmlSecTool for https://shibboleth.atlassian.net/browse/MDA-112#icft=MDA-112 includes algorithm blacklist functionality; it would be useful to surface this in Set<String> properties of the signature validation stage so that defunct algorithms like MD5 (and one day SHA-1) can be excluded.