| // Copyright (c) HashiCorp, Inc. |
| // SPDX-License-Identifier: MPL-2.0 |
| |
| package internal |
| |
| import ( |
| "fmt" |
| "os" |
| "sync" |
| _ "unsafe" // for go:linkname |
| |
| goversion "github.com/hashicorp/go-version" |
| "github.com/hashicorp/vault/version" |
| ) |
| |
| const sha1PatchVersionsBefore = "1.12.0" |
| |
| var patchSha1 sync.Once |
| |
| //go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1 |
| var debugAllowSHA1 bool |
| |
| // PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed. |
| // It is safe to call this function multiple times. |
| // This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility |
| // with these certificates. See https://go.dev/doc/go1.18#sha1 and |
| // https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1 |
| // for more details. |
| // TODO: remove when Vault <=1.11 is no longer supported |
| func PatchSha1() { |
| patchSha1.Do(func() { |
| // for Go 1.19.4 and later |
| godebug := os.Getenv("GODEBUG") |
| if godebug != "" { |
| godebug += "," |
| } |
| godebug += "x509sha1=1" |
| os.Setenv("GODEBUG", godebug) |
| |
| // for Go 1.19.3 and earlier, patch the variable |
| patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore) |
| if err != nil { |
| panic(err) |
| } |
| |
| patch := false |
| v, err := goversion.NewSemver(version.GetVersion().Version) |
| if err == nil { |
| patch = v.LessThan(patchBefore) |
| } else { |
| fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version) |
| patch = true |
| } |
| |
| if patch { |
| debugAllowSHA1 = true |
| } |
| }) |
| } |
