Fix SHA1 patch for Go 1.19.4; patch test (#18405)

Bad news: the hot patch we were using breaks in Go 1.19.4: 6109c07ec4 Good news: we can now patch with an environment variable at runtime. Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2022-12-15 12:52:45 -05:00
parent 014a5ebbe8
commit 807f3936ac
2 changed files with 15 additions and 0 deletions
--- a/builtin/credential/aws/pkcs7/sign.go
+++ b/builtin/credential/aws/pkcs7/sign.go
@@ -12,8 +12,14 @@ import (
 	"fmt"
 	"math/big"
 	"time"
+
+	"github.com/hashicorp/vault/internal"
 )

+func init() {
+	internal.PatchSha1()
+}
+
 // SignedData is an opaque data structure for creating signed data payloads
 type SignedData struct {
 	sd                  signedData
--- a/internal/go118_sha1_patch.go
+++ b/internal/go118_sha1_patch.go
@@ -26,6 +26,15 @@ var debugAllowSHA1 bool
 // TODO: remove when Vault <=1.11 is no longer supported
 func PatchSha1() {
 	patchSha1.Do(func() {
+		// for Go 1.19.4 and later
+		godebug := os.Getenv("GODEBUG")
+		if godebug != "" {
+			godebug += ","
+		}
+		godebug += "x509sha1=1"
+		os.Setenv("GODEBUG", godebug)
+
+		// for Go 1.19.3 and earlier, patch the variable
 		patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
 		if err != nil {
 			panic(err)