diff --git a/crypto/pkcs11/pkcs11helpers.go b/crypto/pkcs11/pkcs11helpers.go index 069f2c1..7d80f5f 100644 --- a/crypto/pkcs11/pkcs11helpers.go +++ b/crypto/pkcs11/pkcs11helpers.go @@ -67,12 +67,12 @@ func rsaPublicEncryptOAEP(pubKey *rsa.PublicKey, plaintext []byte) ([]byte, stri ) oaephash := os.Getenv("OCICRYPT_OAEP_HASHALG") - // The default is 'sha1' + // The default is sha256 (previously was sha1) switch strings.ToLower(oaephash) { - case "sha1", "": + case "sha1": hashfunc = sha1.New() hashalg = "sha1" - case "sha256": + case "sha256", "": hashfunc = sha256.New() hashalg = "sha256" default: @@ -281,12 +281,12 @@ func publicEncryptOAEP(pubKey *Pkcs11KeyFileObject, plaintext []byte) ([]byte, s var oaep *pkcs11.OAEPParams oaephash := os.Getenv("OCICRYPT_OAEP_HASHALG") - // The default is 'sha1' + // The default is sha256 (previously was sha1) switch strings.ToLower(oaephash) { - case "sha1", "": + case "sha1": oaep = OAEPSha1Params hashalg = "sha1" - case "sha256": + case "sha256", "": oaep = OAEPSha256Params hashalg = "sha256" default: diff --git a/crypto/pkcs11/pkcs11helpers_test.go b/crypto/pkcs11/pkcs11helpers_test.go index ac8b9e7..ca084d0 100644 --- a/crypto/pkcs11/pkcs11helpers_test.go +++ b/crypto/pkcs11/pkcs11helpers_test.go @@ -16,7 +16,6 @@ limitations under the License. */ - package pkcs11 import ( @@ -133,6 +132,10 @@ module: p11pubkeyfileobj.Uri.SetModuleDirectories(p11conf.ModuleDirectories) p11pubkeyfileobj.Uri.SetAllowedModulePaths(p11conf.ModuleDirectories) + // SoftHSM 2.6.1 only supports OAEP with sha1 + // https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127 + os.Setenv("OCICRYPT_OAEP_HASHALG", "sha1") + pubKeys := make([]interface{}, 1) pubKeys[0] = p11pubkeyfileobj p11json, err := EncryptMultiple(pubKeys, []byte(testinput)) @@ -185,6 +188,8 @@ func TestPkcs11EncryptDecryptPubkey(t *testing.T) { testinput := "Hello World!" + // SoftHSM 2.6.1 only supports OAEP with sha1 + // https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127 os.Setenv("OCICRYPT_OAEP_HASHALG", "sha1") pubKeys := make([]interface{}, 1)