From 13ea726b3c19e590ff2937d9833980f55996ca22 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 2 Jun 2023 15:19:05 +0000 Subject: [PATCH 1/2] use bytes Signed-off-by: laurentsimon --- errors/errors.go | 1 + verifiers/internal/gha/provenance.go | 6 ++---- verifiers/internal/gha/provenance_test.go | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/errors/errors.go b/errors/errors.go index 49e0947f2..cfed1a0a8 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -40,5 +40,6 @@ var ( ErrorRekorPubKey = errors.New("error retrieving Rekor public keys") ErrorInvalidPackageName = errors.New("invalid package name") ErrorInvalidSubject = errors.New("invalid subject") + ErrorInvalidHash = errors.New("invalid hash") ErrorNotPresent = errors.New("not present") ) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 47f40ed09..cf1a0e661 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -181,10 +181,8 @@ func verifyDigest(prov slsaprovenance.Provenance, expectedHash string) error { // 8 bit represented in hex, so 8/2=4. bitLength := len(expectedHash) * 4 expectedAlgo := fmt.Sprintf("sha%v", bitLength) - // TODO(#630): Add subject digest minimum bit length check. - // sha1 is 160 bit (FWIW). - if bitLength == 160 { - expectedAlgo = "sha1" + if bitLength < 256 { + return fmt.Errorf("%w: hash must be at least 256-bit long. Got %d", serrors.ErrorInvalidHash, bitLength) } for _, subject := range subjects { diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index bfe59cf02..de4b57b0d 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -99,6 +99,21 @@ func Test_VerifyDigest(t *testing.T) { artifactHash string expected error }{ + { + name: "invalid short hash", + prov: &testProvenance{ + subjects: []intoto.Subject{ + { + Digest: common.DigestSet{ + "sha1": "4506290e2e8feb1f34b27a044f7cc863c830ef6b", + }, + }, + }, + }, + // NOTE: the hash is one character short of sha256 hash. + artifactHash: "0ae7e4fa71686538440012ee36a2634dbaa19df2dd16a466f52411fb348bbc4", + expected: serrors.ErrorInvalidHash, + }, { name: "invalid dsse: no sha256 subject digest", prov: &testProvenance{ From d205bc5fde54ad569100e6ec6e5933e708496005 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 2 Jun 2023 15:20:48 +0000 Subject: [PATCH 2/2] use bytes Signed-off-by: laurentsimon --- verifiers/internal/gha/provenance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index cf1a0e661..28a8dc383 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -182,7 +182,7 @@ func verifyDigest(prov slsaprovenance.Provenance, expectedHash string) error { bitLength := len(expectedHash) * 4 expectedAlgo := fmt.Sprintf("sha%v", bitLength) if bitLength < 256 { - return fmt.Errorf("%w: hash must be at least 256-bit long. Got %d", serrors.ErrorInvalidHash, bitLength) + return fmt.Errorf("%w: expected minimum 256-bit. Got %d", serrors.ErrorInvalidHash, bitLength) } for _, subject := range subjects {