Insecure usage of SHA-1

[akwick]

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, CogniCryptSAST, is in this project:

• org.geotoolkit.index.tree.manager.util.AeSimpleSHA1 uses SHA-1 as a parameter to java.security.MessageDigest. By now, it is possible to have collisions with SHA-1 and are not considered secure any longer. Therefore, one should not use SHA-1 anymore in a security context like password storage, token generation, or computation integrity. This misuse is also considered problematic by industry tools like SonarSource.

We hope that this information helps you and to hear back from you.