Use of a risky cryptographic algorithm

Question

Use of a risky cryptographic algorithm

thachlp opened this issue 6 months ago · 3 comments

thachlp commented 6 months ago

Bug Report

Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.

Current Behavior

Input Code

    public static String digest(ByteBuffer script) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA1");
            md.update(script);
            return new String(Base16.encode(md.digest(), false));
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("JVM does not support SHA1");
        }
    }

Expected behavior/code

Environment

Lettuce version(s): [main]

Possible Solution

Using SHA-256 instead

    public static String digest(ByteBuffer script) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            md.update(script);
            return new String(Base16.encode(md.digest(), false));
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("JVM does not support SHA-256");
        }
    }

Additional context

Answer 1 · 2024-09-10T14:37:56.000Z

Hey @thachlp ,

Have you verified that the server supports SHA-256? From the documentation it seems it does not.

Answer 2 · 2024-09-11T02:54:10.000Z

@tishun
Oops, I didn't realize Redis doesn't support SHA-256, I will close this issue. Thanks 🙇

Answer 3 · 2024-09-11T06:38:11.000Z

No problem :) thanks for taking a look