Remove runtime patch for SHA1 support in X.509 certs (#24243)

This code only executes when the Vault version is <1.11, so is now dead code and can be removed safely.
2025-08-06 06:37:02 +02:00 · 2023-11-27 09:11:01 -08:00 · 2023-11-27 09:11:01 -08:00 · 904c08e1e4
commit 904c08e1e4
parent 511ce92852
3 changed files with 0 additions and 71 deletions
--- a/builtin/credential/aws/pkcs7/sign.go
+++ b/builtin/credential/aws/pkcs7/sign.go
@ -12,14 +12,8 @@ import (
 	"fmt"
 	"math/big"
 	"time"
-
-	"github.com/hashicorp/vault/internal"
 )

-func init() {
-	internal.PatchSha1()
-}
-
 // SignedData is an opaque data structure for creating signed data payloads
 type SignedData struct {
 	sd                  signedData
--- a/internal/go118_sha1_patch.go
+++ b/internal/go118_sha1_patch.go
@ -1,59 +0,0 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package internal
-
-import (
-	"fmt"
-	"os"
-	"sync"
-	_ "unsafe" // for go:linkname
-
-	goversion "github.com/hashicorp/go-version"
-	"github.com/hashicorp/vault/version"
-)
-
-const sha1PatchVersionsBefore = "1.12.0"
-
-var patchSha1 sync.Once
-
-//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1
-var debugAllowSHA1 bool
-
-// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.
-// It is safe to call this function multiple times.
-// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility
-// with these certificates. See https://go.dev/doc/go1.18#sha1 and
-// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1
-// for more details.
-// TODO: remove when Vault <=1.11 is no longer supported
-func PatchSha1() {
-	patchSha1.Do(func() {
-		// for Go 1.19.4 and later
-		godebug := os.Getenv("GODEBUG")
-		if godebug != "" {
-			godebug += ","
-		}
-		godebug += "x509sha1=1"
-		os.Setenv("GODEBUG", godebug)
-
-		// for Go 1.19.3 and earlier, patch the variable
-		patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
-		if err != nil {
-			panic(err)
-		}
-
-		patch := false
-		v, err := goversion.NewSemver(version.GetVersion().Version)
-		if err == nil {
-			patch = v.LessThan(patchBefore)
-		} else {
-			fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)
-			patch = true
-		}
-
-		if patch {
-			debugAllowSHA1 = true
-		}
-	})
-}
--- a/main.go
+++ b/main.go
@ -7,14 +7,8 @@ import (
 	"os"

 	"github.com/hashicorp/vault/command"
-	"github.com/hashicorp/vault/internal"
 )

-func init() {
-	// this is a good place to patch SHA-1 support back into x509
-	internal.PatchSha1()
-}
-
 func main() {
 	os.Exit(command.Run(os.Args[1:]))
 }