From 566b808bdf6f099b46873a5326cfbae4a85ff3a9 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 27 Apr 2022 16:48:56 -0400
Subject: [PATCH] pkcs11: Move to sha256 for the default hash to use

In case the user doesn't set the environment variable
OCICRYPT_OAEP_HASHALG sha256 will be used now. This breaks default
usage with SoftHSM because the only hash it currently (v2.6.1) supports
is sha1. So a user of SoftHSM now has to set the environment variable
to 'sha1' and we have to adjust the test case because of this.

SoftHSM link to OAEP only supporting sha1:
https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/pkcs11/pkcs11helpers.go      | 12 ++++++------
 crypto/pkcs11/pkcs11helpers_test.go |  7 ++++++-
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/crypto/pkcs11/pkcs11helpers.go b/crypto/pkcs11/pkcs11helpers.go
index 069f2c1..7d80f5f 100644
--- a/crypto/pkcs11/pkcs11helpers.go
+++ b/crypto/pkcs11/pkcs11helpers.go
@@ -67,12 +67,12 @@ func rsaPublicEncryptOAEP(pubKey *rsa.PublicKey, plaintext []byte) ([]byte, stri
 	)
 
 	oaephash := os.Getenv("OCICRYPT_OAEP_HASHALG")
-	// The default is 'sha1'
+	// The default is sha256 (previously was sha1)
 	switch strings.ToLower(oaephash) {
-	case "sha1", "":
+	case "sha1":
 		hashfunc = sha1.New()
 		hashalg = "sha1"
-	case "sha256":
+	case "sha256", "":
 		hashfunc = sha256.New()
 		hashalg = "sha256"
 	default:
@@ -281,12 +281,12 @@ func publicEncryptOAEP(pubKey *Pkcs11KeyFileObject, plaintext []byte) ([]byte, s
 
 	var oaep *pkcs11.OAEPParams
 	oaephash := os.Getenv("OCICRYPT_OAEP_HASHALG")
-	// The default is 'sha1'
+	// The default is sha256 (previously was sha1)
 	switch strings.ToLower(oaephash) {
-	case "sha1", "":
+	case "sha1":
 		oaep = OAEPSha1Params
 		hashalg = "sha1"
-	case "sha256":
+	case "sha256", "":
 		oaep = OAEPSha256Params
 		hashalg = "sha256"
 	default:
diff --git a/crypto/pkcs11/pkcs11helpers_test.go b/crypto/pkcs11/pkcs11helpers_test.go
index ac8b9e7..ca084d0 100644
--- a/crypto/pkcs11/pkcs11helpers_test.go
+++ b/crypto/pkcs11/pkcs11helpers_test.go
@@ -16,7 +16,6 @@
    limitations under the License.
 */
 
-
 package pkcs11
 
 import (
@@ -133,6 +132,10 @@ module:
 	p11pubkeyfileobj.Uri.SetModuleDirectories(p11conf.ModuleDirectories)
 	p11pubkeyfileobj.Uri.SetAllowedModulePaths(p11conf.ModuleDirectories)
 
+	// SoftHSM 2.6.1 only supports OAEP with sha1
+	// https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127
+	os.Setenv("OCICRYPT_OAEP_HASHALG", "sha1")
+
 	pubKeys := make([]interface{}, 1)
 	pubKeys[0] = p11pubkeyfileobj
 	p11json, err := EncryptMultiple(pubKeys, []byte(testinput))
@@ -185,6 +188,8 @@ func TestPkcs11EncryptDecryptPubkey(t *testing.T) {
 
 	testinput := "Hello World!"
 
+	// SoftHSM 2.6.1 only supports OAEP with sha1
+	// https://github.com/opendnssec/SoftHSMv2/blob/7f99bedae002f0dd04ceeb8d86d59fc4a68a69a0/src/lib/SoftHSM.cpp#L3123-L3127
 	os.Setenv("OCICRYPT_OAEP_HASHALG", "sha1")
 
 	pubKeys := make([]interface{}, 1)