From c4b1a3941339dd67f6419ba368142b70ecfc5750 Mon Sep 17 00:00:00 2001
From: dlorenc <dlorenc@google.com>
Date: Thu, 27 May 2021 08:51:55 -0500
Subject: [PATCH] Do some refactoring to prefer sha256.Sum256 when we already
have data in memory. (#317)
This saves an if err != nil... check.
Signed-off-by: Dan Lorenc <dlorenc@google.com>
---
pkg/api/api.go | 8 ++------
pkg/api/index.go | 8 ++------
pkg/signer/memory_test.go | 13 ++++++-------
pkg/types/jar/v0.0.1/entry.go | 8 ++------
pkg/types/jar/v0.0.1/entry_test.go | 5 ++---
pkg/types/rekord/v0.0.1/entry.go | 8 ++------
pkg/types/rekord/v0.0.1/entry_test.go | 5 ++---
pkg/types/rpm/v0.0.1/entry.go | 8 ++------
pkg/types/rpm/v0.0.1/entry_test.go | 5 ++---
pkg/util/rfc3161.go | 15 +++++----------
tests/e2e_test.go | 24 ++++++------------------
tests/x509.go | 6 ++----
12 files changed, 35 insertions(+), 78 deletions(-)
diff --git a/pkg/api/api.go b/pkg/api/api.go
index 2b2fc32..dd6980c 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -100,11 +100,7 @@ func NewAPI() (*API, error) {
if err != nil {
return nil, errors.Wrap(err, "marshalling public key")
}
- hasher := sha256.New()
- if _, err = hasher.Write(b); err != nil {
- return nil, errors.Wrap(err, "computing hash of public key")
- }
- pubkeyHashBytes := hasher.Sum(nil)
+ pubkeyHashBytes := sha256.Sum256(b)
pubkey := pem.EncodeToMemory(&pem.Block{
Type: "PUBLIC KEY",
@@ -141,7 +137,7 @@ func NewAPI() (*API, error) {
logClient: logClient,
logID: tLogID,
pubkey: string(pubkey),
- pubkeyHash: hex.EncodeToString(pubkeyHashBytes),
+ pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
signer: rekorSigner,
certChain: certChain,
certChainPem: string(certChainPem),
diff --git a/pkg/api/index.go b/pkg/api/index.go
index cda6bf4..42606ca 100644
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -61,13 +61,9 @@ func SearchIndexHandler(params index.SearchIndexParams) middleware.Responder {
return handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalKey)
}
- hasher := sha256.New()
- if _, err := hasher.Write(canonicalKey); err != nil {
- return handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalKey)
- }
- keyHash := hasher.Sum(nil)
+ keyHash := sha256.Sum256(canonicalKey)
var resultUUIDs []string
- if err := redisClient.Do(httpReqCtx, radix.Cmd(&resultUUIDs, "LRANGE", strings.ToLower(hex.EncodeToString(keyHash)), "0", "-1")); err != nil {
+ if err := redisClient.Do(httpReqCtx, radix.Cmd(&resultUUIDs, "LRANGE", strings.ToLower(hex.EncodeToString(keyHash[:])), "0", "-1")); err != nil {
return handleRekorAPIError(params, http.StatusInternalServerError, err, redisUnexpectedResult)
}
result = append(result, resultUUIDs...)
diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go
index 83bcc20..5ff42c8 100644
--- a/pkg/signer/memory_test.go
+++ b/pkg/signer/memory_test.go
@@ -18,8 +18,8 @@ package signer
import (
"context"
- "crypto"
"crypto/ecdsa"
+ "crypto/sha256"
"crypto/x509"
"testing"
)
@@ -49,11 +49,10 @@ func TestMemory(t *testing.T) {
if !ok {
t.Fatalf("ecdsa public key: %v", err)
}
- h := crypto.SHA256.New()
- if _, err := h.Write(payload); err != nil {
- t.Fatalf("writing payload: %v", err)
- }
- if !ecdsa.VerifyASN1(pk, h.Sum(nil), signature) {
+
+ h := sha256.Sum256(payload)
+
+ if !ecdsa.VerifyASN1(pk, h[:], signature) {
t.Fatalf("unable to verify signature")
}
@@ -63,7 +62,7 @@ func TestMemory(t *testing.T) {
if !ok {
t.Fatalf("cert ecdsa public key: %v", err)
}
- if !ecdsa.VerifyASN1(pkCert, h.Sum(nil), signature) {
+ if !ecdsa.VerifyASN1(pkCert, h[:], signature) {
t.Fatalf("unable to verify signature")
}
// verify that the cert chain is configured for timestamping
diff --git a/pkg/types/jar/v0.0.1/entry.go b/pkg/types/jar/v0.0.1/entry.go
index 37df37f..aa30853 100644
--- a/pkg/types/jar/v0.0.1/entry.go
+++ b/pkg/types/jar/v0.0.1/entry.go
@@ -84,12 +84,8 @@ func (v V001Entry) IndexKeys() []string {
if err != nil {
log.Logger.Error(err)
} else {
- hasher := sha256.New()
- if _, err := hasher.Write(key); err != nil {
- log.Logger.Error(err)
- } else {
- result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
- }
+ keyHash := sha256.Sum256(key)
+ result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
}
if v.JARModel.Archive.Hash != nil {
diff --git a/pkg/types/jar/v0.0.1/entry_test.go b/pkg/types/jar/v0.0.1/entry_test.go
index 2a8d28b..ca9dac7 100644
--- a/pkg/types/jar/v0.0.1/entry_test.go
+++ b/pkg/types/jar/v0.0.1/entry_test.go
@@ -54,9 +54,8 @@ func TestCrossFieldValidation(t *testing.T) {
jarBytes, _ := ioutil.ReadFile("../../../../tests/test.jar")
- h := sha256.New()
- _, _ = h.Write(jarBytes)
- dataSHA := hex.EncodeToString(h.Sum(nil))
+ h := sha256.Sum256(jarBytes)
+ dataSHA := hex.EncodeToString(h[:])
testServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/types/rekord/v0.0.1/entry.go b/pkg/types/rekord/v0.0.1/entry.go
index a7f6344..77c2abe 100644
--- a/pkg/types/rekord/v0.0.1/entry.go
+++ b/pkg/types/rekord/v0.0.1/entry.go
@@ -77,12 +77,8 @@ func (v V001Entry) IndexKeys() []string {
if err != nil {
log.Logger.Error(err)
} else {
- hasher := sha256.New()
- if _, err := hasher.Write(key); err != nil {
- log.Logger.Error(err)
- } else {
- result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
- }
+ keyHash := sha256.Sum256(key)
+ result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
}
result = append(result, v.keyObj.EmailAddresses()...)
diff --git a/pkg/types/rekord/v0.0.1/entry_test.go b/pkg/types/rekord/v0.0.1/entry_test.go
index b9eaa1f..782a11d 100644
--- a/pkg/types/rekord/v0.0.1/entry_test.go
+++ b/pkg/types/rekord/v0.0.1/entry_test.go
@@ -57,9 +57,8 @@ func TestCrossFieldValidation(t *testing.T) {
keyBytes, _ := ioutil.ReadFile("../../../../tests/test_public_key.key")
dataBytes, _ := ioutil.ReadFile("../../../../tests/test_file.txt")
- h := sha256.New()
- _, _ = h.Write(dataBytes)
- dataSHA := hex.EncodeToString(h.Sum(nil))
+ h := sha256.Sum256(dataBytes)
+ dataSHA := hex.EncodeToString(h[:])
testServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/types/rpm/v0.0.1/entry.go b/pkg/types/rpm/v0.0.1/entry.go
index 10c9bdb..29a17c7 100644
--- a/pkg/types/rpm/v0.0.1/entry.go
+++ b/pkg/types/rpm/v0.0.1/entry.go
@@ -81,12 +81,8 @@ func (v V001Entry) IndexKeys() []string {
if err != nil {
log.Logger.Error(err)
} else {
- hasher := sha256.New()
- if _, err := hasher.Write(key); err != nil {
- log.Logger.Error(err)
- } else {
- result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
- }
+ keyHash := sha256.Sum256(key)
+ result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
}
result = append(result, v.keyObj.EmailAddresses()...)
diff --git a/pkg/types/rpm/v0.0.1/entry_test.go b/pkg/types/rpm/v0.0.1/entry_test.go
index 865e677..6b0cfdf 100644
--- a/pkg/types/rpm/v0.0.1/entry_test.go
+++ b/pkg/types/rpm/v0.0.1/entry_test.go
@@ -56,9 +56,8 @@ func TestCrossFieldValidation(t *testing.T) {
keyBytes, _ := ioutil.ReadFile("../../../../tests/test_rpm_public_key.key")
dataBytes, _ := ioutil.ReadFile("../../../../tests/test.rpm")
- h := sha256.New()
- _, _ = h.Write(dataBytes)
- dataSHA := hex.EncodeToString(h.Sum(nil))
+ h := sha256.Sum256(dataBytes)
+ dataSHA := hex.EncodeToString(h[:])
testServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/util/rfc3161.go b/pkg/util/rfc3161.go
index 6d80cd0..17c702e 100644
--- a/pkg/util/rfc3161.go
+++ b/pkg/util/rfc3161.go
@@ -18,6 +18,7 @@ package util
import (
"context"
"crypto"
+ "crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
@@ -51,14 +52,10 @@ type SigningCertificateV2 struct {
}
func createSigningCertificate(certificate *x509.Certificate) ([]byte, error) {
- h := crypto.SHA256.New() // TODO: Get from certificate, defaults to 256
- _, err := h.Write(certificate.Raw)
- if err != nil {
- return nil, fmt.Errorf("failed to create hash")
- }
+ h := sha256.Sum256(certificate.Raw) // TODO: Get from certificate, defaults to 256
signingCert := SigningCertificateV2{
Certs: []EssCertIDv2{{
- CertHash: h.Sum(nil),
+ CertHash: h[:],
IssuerNameAndSerial: IssuerNameAndSerial{
IssuerName: GeneralName{Name: asn1.RawValue{Tag: 4, Class: 2, IsCompound: true, Bytes: certificate.RawIssuer}},
SerialNumber: certificate.SerialNumber,
@@ -174,11 +171,9 @@ func CreateRfc3161Response(ctx context.Context, req pkcs9.TimeStampReq, certChai
}
// TODO: Does this need to match the hash algorithm in the request?
- h := crypto.SHA256.New()
alg, _ := x509tools.PkixDigestAlgorithm(crypto.SHA256)
contentInfoBytes, _ := contentInfo.Bytes()
- h.Write(contentInfoBytes)
- digest := h.Sum(nil)
+ h := sha256.Sum256(contentInfoBytes)
// Create SignerInfo and signature.
signingCert, err := createSigningCertificate(certChain[0])
@@ -189,7 +184,7 @@ func CreateRfc3161Response(ctx context.Context, req pkcs9.TimeStampReq, certChai
if err := attributes.Add(pkcs7.OidAttributeContentType, contentInfo.ContentType); err != nil {
return nil, err
}
- if err := attributes.Add(pkcs7.OidAttributeMessageDigest, digest); err != nil {
+ if err := attributes.Add(pkcs7.OidAttributeMessageDigest, h[:]); err != nil {
return nil, err
}
if err := attributes.Add(asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 47}, signingCert); err != nil {
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
index 7510ebc..9fc380b 100644
--- a/tests/e2e_test.go
+++ b/tests/e2e_test.go
@@ -20,7 +20,6 @@ package e2e
import (
"bytes"
"context"
- "crypto"
"crypto/ecdsa"
"crypto/sha256"
"crypto/x509"
@@ -192,15 +191,13 @@ func TestGet(t *testing.T) {
out = runCli(t, "search", "--public-key", pubPath)
outputContains(t, out, uuid)
- hash := sha256.New()
artifactBytes, err := ioutil.ReadFile(artifactPath)
if err != nil {
t.Error(err)
}
- hash.Write(artifactBytes)
- sha := hash.Sum(nil)
+ sha := sha256.Sum256(artifactBytes)
- out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha)))
+ out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha[:])))
outputContains(t, out, uuid)
}
@@ -468,13 +465,8 @@ func TestSignedEntryTimestamp(t *testing.T) {
}
// verify the signature against the public key
- h := crypto.SHA256.New()
- if _, err := h.Write(canonicalized); err != nil {
- t.Fatal(err)
- }
- sum := h.Sum(nil)
-
- if !ecdsa.VerifyASN1(rekorPubKey, sum, []byte(sig)) {
+ h := sha256.Sum256(canonicalized)
+ if !ecdsa.VerifyASN1(rekorPubKey, h[:], []byte(sig)) {
t.Fatal("unable to verify")
}
}
@@ -522,12 +514,8 @@ func TestTimestampResponseCLI(t *testing.T) {
}
// Now try with the digest.
- h := crypto.SHA256.New()
- if _, err := h.Write(payload); err != nil {
- t.Fatalf("error creating digest")
- }
- digest := h.Sum(nil)
- hexDigest := hex.EncodeToString(digest)
+ h := sha256.Sum256(payload)
+ hexDigest := hex.EncodeToString(h[:])
out = runCli(t, "timestamp", "--artifact-hash", hexDigest, "--out", responsePath)
outputContains(t, out, "Wrote response to")
cmd = exec.Command("openssl", "ts", "-verify", "-digest", hexDigest, "-in", responsePath, "-CAfile", CAPath)
diff --git a/tests/x509.go b/tests/x509.go
index 11fc461..9c37625 100644
--- a/tests/x509.go
+++ b/tests/x509.go
@@ -131,10 +131,8 @@ func init() {
}
func SignX509Cert(b []byte) ([]byte, error) {
- h := sha256.New()
- h.Write(b)
- dgst := h.Sum(nil)
- signature, err := certPrivateKey.Sign(rand.Reader, dgst, crypto.SHA256)
+ dgst := sha256.Sum256(b)
+ signature, err := certPrivateKey.Sign(rand.Reader, dgst[:], crypto.SHA256)
return signature, err
}
--
GitLab