xmidt-org/webpa-common

Moving away from SHA1

kristinapathak opened this issue · 0 comments

kristinapathak commented

SHA1 is currently being deprecated from the go package:
golang/go#41682

We use SHA1 in the webhook/aws package for signature validation:

webpa-common/webhook/aws/signature_validation.go

Line 143 in 74173f6

if err = cert.CheckSignature(x509.SHA1WithRSA, []byte(formatedSignature), decodedSignature); err != nil {

In go1.18, it's still supported but an env flag has to be set, but in go 1.19 it won't be supported at all. This is causing unit test failures:

--- FAIL: Test_Validate (0.15s)
    signature_validation_test.go:296:
        	Error Trace:	signature_validation_test.go:296
        	Error:      	Should be true
        	Test:       	Test_Validate
    signature_validation_test.go:297:
        	Error Trace:	signature_validation_test.go:297
        	Error:      	Received unexpected error:
        	            	x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)
        	Test:       	Test_Validate
    signature_validation_test.go:304:
        	Error Trace:	signature_validation_test.go:304
        	Error:      	Should be true
        	Test:       	Test_Validate
    signature_validation_test.go:305:
        	Error Trace:	signature_validation_test.go:305
        	Error:      	Received unexpected error:
        	            	x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)
        	Test:       	Test_Validate

We have moved away from using this package in any of our applications. Can I remove these unit tests and mark the package as deprecated?