Skip to content

Commit

Permalink
Upgrade to new hash-agnostic APIs for sign and verify
Browse files Browse the repository at this point in the history 
And also prepare for a future switch to SHA256
  • Loading branch information
@xnox
xnox committed Sep 13, 2024
1 parent 7764878 commit 62071cd
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 18 deletions.
17 changes: 10 additions & 7 deletions pkg/build/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@ import (
"bytes"
"context"

//nolint:gosec
"crypto/sha1"
"crypto"
"fmt"
"os"
"path/filepath"
Expand Down Expand Up @@ -74,18 +73,22 @@ type KeyApkSigner struct {
KeyPassphrase string
}

const melangeApkDigest = crypto.SHA1

// const melangeApkDigest = crypto.SHA256

func (s KeyApkSigner) Sign(control []byte) ([]byte, error) {
//nolint:gosec
digest := sha1.New()

_, err := digest.Write(control)
controlDigest, err := sign.HashData(control, melangeApkDigest)
if err != nil {
return nil, err
}

return sign.RSASignSHA1Digest(digest.Sum(nil), s.KeyFile, s.KeyPassphrase)
return sign.RSASignDigest(controlDigest, melangeApkDigest, s.KeyFile, s.KeyPassphrase)
}

func (s KeyApkSigner) SignatureName() string {
if melangeApkDigest == crypto.SHA256 {
return fmt.Sprintf(".SIGN.RSA256.%s.pub", filepath.Base(s.KeyFile))
}
return fmt.Sprintf(".SIGN.RSA.%s.pub", filepath.Base(s.KeyFile))
}
22 changes: 11 additions & 11 deletions pkg/sign/apk_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (
"bytes"
"compress/gzip"
"context"
"crypto/sha1"
"crypto"
"fmt"
"io"
"os"
Expand Down Expand Up @@ -54,26 +54,26 @@ func TestAPK(t *testing.T) {
if err != nil {
t.Fatal(err)
}
if sigName != ".SIGN.RSA."+testPubkey {
melangeApkDigest := crypto.SHA1
prefix := ".SIGN.RSA."
// melangeApkDigest := crypto.SHA256
// prefix := ".SIGN.RSA256."
if sigName != prefix+testPubkey {
t.Fatalf("unexpected signature name %s", sigName)
}
//nolint:gosec we do have to use SHA1 here
digest := computeSHA1Digest(controlData)
digest, err := signature.HashData(controlData, melangeApkDigest)
if err != nil {
t.Fatal(err)
}
pubKey, err := os.ReadFile("testdata/" + testPubkey)
if err != nil {
t.Fatal(err)
}
if err := signature.RSAVerifySHA1Digest(digest, sig, pubKey); err != nil {
if err := signature.RSAVerifyDigest(digest, melangeApkDigest, sig, pubKey); err != nil {
t.Fatal(err)
}
}

func computeSHA1Digest(data []byte) []byte {
digest := sha1.New()
_, _ = digest.Write(data)
return digest.Sum(nil)
}

func parseAPK(ctx context.Context, apkPath string) (control []byte, sigName string, sig []byte, err error) {
apkr, err := os.Open(apkPath)
if err != nil {
Expand Down

0 comments on commit 62071cd

Please sign in to comment.