diff --git a/tuf/data/snapshot.go b/tuf/data/snapshot.go index 29b14e62d4..937f7af355 100644 --- a/tuf/data/snapshot.go +++ b/tuf/data/snapshot.go @@ -2,7 +2,6 @@ package data import ( "bytes" - "crypto/sha256" "fmt" "time" @@ -39,10 +38,18 @@ func isValidSnapshotStructure(s Snapshot) error { // Meta is a map of FileMeta, so if the role isn't in the map it returns // an empty FileMeta, which has an empty map, and you can check on keys // from an empty map. - if checksum, ok := s.Meta[role].Hashes["sha256"]; !ok || len(checksum) != sha256.Size { + // + // For now sha256 is required and sha512 is not. + if _, ok := s.Meta[role].Hashes["sha256"]; !ok { return ErrInvalidMetadata{ role: CanonicalSnapshotRole, - msg: fmt.Sprintf("missing or invalid %s sha256 checksum information", role), + msg: fmt.Sprintf("missing %s sha256 checksum information", role), + } + } + if err := CheckValidHashStructures(s.Meta[role].Hashes); err != nil { + return ErrInvalidMetadata{ + role: CanonicalSnapshotRole, + msg: fmt.Sprintf("invalid %s checksum information, %v", role, err), } } } diff --git a/tuf/data/timestamp.go b/tuf/data/timestamp.go index ed5e9bb7b0..2914bc59a8 100644 --- a/tuf/data/timestamp.go +++ b/tuf/data/timestamp.go @@ -2,7 +2,6 @@ package data import ( "bytes" - "crypto/sha256" "fmt" "time" @@ -37,10 +36,17 @@ func isValidTimestampStructure(t Timestamp) error { // Meta is a map of FileMeta, so if the role isn't in the map it returns // an empty FileMeta, which has an empty map, and you can check on keys // from an empty map. - if cs, ok := t.Meta[CanonicalSnapshotRole].Hashes["sha256"]; !ok || len(cs) != sha256.Size { + // + // For now sha256 is required and sha512 is not. + if _, ok := t.Meta[CanonicalSnapshotRole].Hashes["sha256"]; !ok { return ErrInvalidMetadata{ - role: CanonicalTimestampRole, msg: "missing or invalid snapshot sha256 checksum information"} + role: CanonicalTimestampRole, msg: "missing snapshot sha256 checksum information"} } + if err := CheckValidHashStructures(t.Meta[CanonicalSnapshotRole].Hashes); err != nil { + return ErrInvalidMetadata{ + role: CanonicalTimestampRole, msg: fmt.Sprintf("invalid snapshot checksum information, %v", err)} + } + return nil } diff --git a/tuf/testutils/swizzler.go b/tuf/testutils/swizzler.go index 6aa59446c8..089521cff3 100644 --- a/tuf/testutils/swizzler.go +++ b/tuf/testutils/swizzler.go @@ -530,7 +530,7 @@ func (m *MetadataSwizzler) UpdateSnapshotHashes(roles ...string) error { return err } - meta, err := data.NewFileMeta(bytes.NewReader(metaBytes), "sha256") + meta, err := data.NewFileMeta(bytes.NewReader(metaBytes), data.NotaryDefaultHashes...) if err != nil { return err } @@ -575,7 +575,7 @@ func (m *MetadataSwizzler) UpdateTimestampHash() error { return err } - snapshotMeta, err := data.NewFileMeta(bytes.NewReader(metaBytes), "sha256") + snapshotMeta, err := data.NewFileMeta(bytes.NewReader(metaBytes), data.NotaryDefaultHashes...) if err != nil { return err } diff --git a/tuf/tuf.go b/tuf/tuf.go index 0a1912a5f5..6d1a46aa08 100644 --- a/tuf/tuf.go +++ b/tuf/tuf.go @@ -760,7 +760,7 @@ func (tr *Repo) UpdateSnapshot(role string, s *data.Signed) error { if err != nil { return err } - meta, err := data.NewFileMeta(bytes.NewReader(jsonData), "sha256") + meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...) if err != nil { return err } @@ -775,7 +775,7 @@ func (tr *Repo) UpdateTimestamp(s *data.Signed) error { if err != nil { return err } - meta, err := data.NewFileMeta(bytes.NewReader(jsonData), "sha256") + meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...) if err != nil { return err }