Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for setting digest algo #227

Closed

Conversation

nunoOliveiraqwe
Copy link

Golang 1.18 removed for sha1 signed certificates and this makes it impossible to use pkc7+go 1.18, because pkc7 defaults SHA1 hash function. Go 1.18 Release Notes

This pr adds support for setting the digest algo for pkc7 to use defaulting to SHA256 if none is specified.
Additionally go version is set to 1.18

@jessepeterson
Copy link
Member

Have a look at #191 (comment)

tl;dr: SHA1 was supposed to be removed for certificate signing in Go 1.18 but they accidentally broke all SHA-1 operations. They fixed this in Go 1.18.2. I.e. this should not be an issue today.

@nunoOliveiraqwe
Copy link
Author

@jessepeterson you are right. They rolled back the changes in go 1.18.1, I tested sha1 signatures in both, and as expected, it fails on 1.18 and passes 1.18.1. Leaving the link for the discussion here for documentation purposes, golang/go#41682 (comment)

I still see same value in being able to set the digest algo. For example, when the target server forces a specific hash function to be used.

@jessepeterson
Copy link
Member

@nunoOliveiraqwe Yes, I can also see the value in that. But FYI we're likely to drop support of our internal SCEP library and migrate to https://github.com/smallstep/scep. So you're more likely to get traction supporting the changes over there first. Also - this PR has a bunch of dependency updates that should be different PRs if you want to see those changes merged. Cheers!

@nunoOliveiraqwe
Copy link
Author

@jessepeterson I rolled back the dependency changes. Should be fine now.

@jessepeterson
Copy link
Member

@nunoOliveiraqwe hello! we removed our scep library per this comment in #233. You'll need to submit any scep library changes upstream now in https://github.com/smallstep/scep. :) I'll close this PR for now, but if you update it with changes from upstream, feel free to re-open it. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants