feat: Make SDK FIPS-compliant by using internal SHA1 module#2179
feat: Make SDK FIPS-compliant by using internal SHA1 module#2179kodiakhq[bot] merged 3 commits intomainfrom
Conversation
| require.NoError(t, err) | ||
| cqIDFields := got.Schema().FieldIndices(CqIDColumn.Name) | ||
| require.Len(t, cqIDFields, 1) | ||
| assert.Equal(t, "d8f3b1de-8c63-5a0e-a1aa-19e9b5311c24", got.Column(cqIDFields[0]).ValueStr(0)) |
There was a problem hiding this comment.
Was d8f3b1de-8c63-5a0e-a1aa-19e9b5311c24 calculated using the official Sha1 package? Maybe we can have a test that creates a UUID using our internal package, then using the official one, then compares the values are the same?
There was a problem hiding this comment.
Yes d8f3b1de-8c63-5a0e-a1aa-19e9b5311c24 is the value from the official package. This is the same value that is on main currently. This test does what you are describing, but without using the official package to calculate the hash. Instead it is just hardcoded as a string. Does that work, wdyt?
There was a problem hiding this comment.
Yeah it works but hard to reason about when reading the test (and also hard to update it), maybe add a comment on how that value was created?
🤖 I have created a release *beep* *boop* --- ## [4.84.0](v4.83.0...v4.84.0) (2025-05-30) ### Features * Make SDK FIPS-compliant by using internal SHA1 module ([#2179](#2179)) ([5a34e35](5a34e35)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
2 participants
The Go standard library has removed support for using SHA1 when in FIPS mode in golang/go@54693a8. However the NIST FIPS spec allows for using SHA1 in certain cases:
The above removal from the standard lib is too restrictive, as we should be able to use this algo in our SDK for checksums. I've borrowed the implementation of packages
sha1andbyteorderand added them as internal modules.