open-vault/internal/go118_sha1_patch.go

package internal

import (
	"fmt"
	"os"
	"sync"
	_ "unsafe" // for go:linkname

	goversion "github.com/hashicorp/go-version"
	"github.com/hashicorp/vault/sdk/version"
)

const sha1PatchVersionsBefore = "1.12.0"

var patchSha1 sync.Once

//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1
var debugAllowSHA1 bool

// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.
// It is safe to call this function multiple times.
// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility
// with these certificates. See https://go.dev/doc/go1.18#sha1 and
// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1
// for more details.
// TODO: remove when Vault <=1.11 is no longer supported
func PatchSha1() {
	patchSha1.Do(func() {
		patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
		if err != nil {
			panic(err)
		}

		patch := false
		v, err := goversion.NewSemver(version.GetVersion().Version)
		if err == nil {
			patch = v.LessThan(patchBefore)
		} else {
			fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)
			patch = true
		}

		if patch {
			debugAllowSHA1 = true
		}
	})
}
Add a workaround to allow SHA-1 signatures in certs to work for Vault <= 1.11 (#18016) 2022-12-14 20:00:08 +00:00			`package internal`

			`import (`
			`"fmt"`
			`"os"`
			`"sync"`
			`_ "unsafe" // for go:linkname`

			`goversion "github.com/hashicorp/go-version"`
			`"github.com/hashicorp/vault/sdk/version"`
			`)`

			`const sha1PatchVersionsBefore = "1.12.0"`

			`var patchSha1 sync.Once`

			`//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1`
			`var debugAllowSHA1 bool`

			`// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.`
			`// It is safe to call this function multiple times.`
			`// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility`
			`// with these certificates. See https://go.dev/doc/go1.18#sha1 and`
			`// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1`
			`// for more details.`
			`// TODO: remove when Vault <=1.11 is no longer supported`
			`func PatchSha1() {`
			`patchSha1.Do(func() {`
			`patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)`
			`if err != nil {`
			`panic(err)`
			`}`

			`patch := false`
			`v, err := goversion.NewSemver(version.GetVersion().Version)`
			`if err == nil {`
			`patch = v.LessThan(patchBefore)`
			`} else {`
			`fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)`
			`patch = true`
			`}`

			`if patch {`
			`debugAllowSHA1 = true`
			`}`
			`})`
			`}`