-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default the pkcs11 code to use sha256 for OAEP padding #61
Default the pkcs11 code to use sha256 for OAEP padding #61
Conversation
Fix a comment because the empty string of the hash defaults to sha1 and not sha256. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
b179703
to
97dfb71
Compare
323b585
to
6fde93a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor non-blocking nits, lgtm
crypto/pkcs11/pkcs11helpers.go
Outdated
// } , | ||
// [...] | ||
// } | ||
// Note: More recent versions of this code explicityly write 'sha1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit : explicitly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
3e20e9f
to
0d7f671
Compare
Remove the variable OAEPDefaultHash and explicitly store 'sha1' in the JSON's Hash field. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In case the user doesn't set the environment variable OCICRYPT_OAEP_HASHALG sha256 will be used now. This breaks default usage with SoftHSM because the only hash it currently (v2.6.1) supports is sha1. So a user of SoftHSM now has to set the environment variable to 'sha1' and we have to adjust the test case because of this. SoftHSM link to OAEP only supporting sha1: https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
0d7f671
to
dd06ac4
Compare
Thanks a lot @stefanberger @lumjjb for this. Can we get new release with this please? |
Before we release, want to make sure that we capture this change in the rust version as well @arronwy , any concerns of this from the rust side? |
This PR modifies the pkcs11 code to default to sha256