Merge pull request #4026 from LiilyZhang/zhangl/Issue4020

Issue #4020 - Change default hash algorithm to sha256 in …
open-horizon · Apr 3, 2024 · 91401ee · 91401ee
2 parents 5beeb53 + 77c3fc8
commit 91401ee
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 46 deletions.
diff --git a/cli/hzn.go b/cli/hzn.go
@@ -672,7 +672,7 @@ Environment Variables:
 	mmsObjectPublishNoChunkUpload := mmsObjectPublishCmd.Flag("disableChunkUpload", msgPrinter.Sprintf("The publish command will disable chunk upload. Data will stream to CSS.")).Bool()
 	mmsObjectPublishChunkUploadDataSize := mmsObjectPublishCmd.Flag("chunkSize", msgPrinter.Sprintf("The size of data chunk that will be published with. Ignored if --disableChunkUpload is specified.")).Default("52428800").Int()
 	mmsObjectPublishSkipIntegrityCheck := mmsObjectPublishCmd.Flag("noIntegrity", msgPrinter.Sprintf("The publish command will not perform a data integrity check on the uploaded object data. It is mutually exclusive with --hashAlgo and --hash")).Bool()
-	mmsObjectPublishDSHashAlgo := mmsObjectPublishCmd.Flag("hashAlgo", msgPrinter.Sprintf("The hash algorithm used to hash the object data before signing it, ensuring data integrity during upload and download. Supported hash algorithms are SHA1 or SHA256, the default is SHA1. It is mutually exclusive with the --noIntegrity flag")).Short('a').String()
+	mmsObjectPublishDSHashAlgo := mmsObjectPublishCmd.Flag("hashAlgo", msgPrinter.Sprintf("The hash algorithm used to hash the object data before signing it, ensuring data integrity during upload and download. Supported hash algorithms are SHA1 or SHA256, the default is SHA256. It is mutually exclusive with the --noIntegrity flag")).Short('a').String()
 	mmsObjectPublishDSHash := mmsObjectPublishCmd.Flag("hash", msgPrinter.Sprintf("The hash of the object data being uploaded or downloaded. Use this flag if you want to provide the hash instead of allowing the command to automatically calculate the hash. The hash must be generated using either the SHA1 or SHA256 algorithm. The -a flag must be specified if the hash was generated using SHA256. This flag is mutually exclusive with --noIntegrity.")).String()
 	mmsObjectPublishPrivKeyFile := mmsObjectPublishCmd.Flag("private-key-file", msgPrinter.Sprintf("The path of a private key file to be used to sign the object. The corresponding public key will be stored in the MMS to ensure integrity of the object. If not specified, the environment variable HZN_PRIVATE_KEY_FILE will be used to find a private key. If not set, ~/.hzn/keys/service.private.key will be used. If it does not exist, an RSA key pair is generated only for this publish operation and then the private key is discarded.")).Short('k').ExistingFile()
 	mmsObjectTypesCmd := mmsObjectCmd.Command("types", msgPrinter.Sprintf("Display a list of object types stored in the Horizon Model Management Service."))
@@ -690,7 +690,7 @@ Environment Variables:
 	nmManifestAddType := nmManifestAddCmd.Flag("type", msgPrinter.Sprintf("The type of manifest to add. Valid values include 'agent_upgrade_manifests'.")).Required().Short('t').String()
 	nmManifestAddId := nmManifestAddCmd.Flag("id", msgPrinter.Sprintf("The id of the manifest to add.")).Required().Short('i').String()
 	nmManifestAddFile := nmManifestAddCmd.Flag("json-file", msgPrinter.Sprintf("The path of a JSON file containing the manifest data. Specify -f- to read from stdin.")).Short('f').Required().String()
-	nmManifestAddDSHashAlgo := nmManifestAddCmd.Flag("hashAlgo", msgPrinter.Sprintf("The hash algorithm used to hash the manifest data before signing it, ensuring data integrity during upload and download. Supported hash algorithms are SHA1 or SHA256, the default is SHA1. It is mutually exclusive with the --noIntegrity flag")).Short('a').String()
+	nmManifestAddDSHashAlgo := nmManifestAddCmd.Flag("hashAlgo", msgPrinter.Sprintf("The hash algorithm used to hash the manifest data before signing it, ensuring data integrity during upload and download. Supported hash algorithms are SHA1 or SHA256, the default is SHA256. It is mutually exclusive with the --noIntegrity flag")).Short('a').String()
 	nmManifestAddDSHash := nmManifestAddCmd.Flag("hash", msgPrinter.Sprintf("The hash of the manifest data being uploaded or downloaded. Use this flag if you want to provide the hash instead of allowing the command to automatically calculate the hash. The hash must be generated using either the SHA1 or SHA256 algorithm. The -a flag must be specified if the hash was generated using SHA256. This flag is mutually exclusive with --noIntegrity.")).String()
 	nmManifestAddPrivKeyFile := nmManifestAddCmd.Flag("private-key-file", msgPrinter.Sprintf("The path of a private key file to be used to sign the manifest. The corresponding public key will be stored in the MMS to ensure integrity of the manifest. If not specified, the environment variable HZN_PRIVATE_KEY_FILE will be used to find a private key. If not set, ~/.hzn/keys/service.private.key will be used. If it does not exist, an RSA key pair is generated only for this publish operation and then the private key is discarded.")).Short('k').ExistingFile()
 	nmManifestAddSkipIntegrityCheck := nmManifestAddCmd.Flag("noIntegrity", msgPrinter.Sprintf("The publish command will not perform a data integrity check on the uploaded manifest data. It is mutually exclusive with --hashAlgo and --hash")).Bool()

diff --git a/cli/node_management/manifest.go b/cli/node_management/manifest.go
@@ -202,9 +202,9 @@ func ManifestAdd(org, credToUse, manifestFile, manifestId, manifestType, dsHashA
 	// Sign the manifest object for integrity during upload to CSS
 	if !skipDigitalSig {
 
-		hashAlgorithm := common.Sha1
-		if dsHashAlgo == common.Sha256 {
-			hashAlgorithm = common.Sha256
+		hashAlgorithm := common.Sha256
+		if dsHashAlgo == common.Sha1 {
+			hashAlgorithm = common.Sha1
 		}
 
 		msgPrinter.Printf("Digital sign with %s will be performed for data integrity.\n", hashAlgorithm)

diff --git a/cli/sync_service/object.go b/cli/sync_service/object.go
@@ -2,16 +2,12 @@ package sync_service
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"github.com/open-horizon/anax/cli/cliconfig"
 	"github.com/open-horizon/anax/cli/cliutils"
@@ -346,9 +342,9 @@ func ObjectPublish(org string, userPw string, objType string, objId string, objP
 		objectMeta.MetaOnly = true
 	} else if !skipDigitalSig {
 
-		hashAlgorithm := common.Sha1
-		if dsHashAlgo == common.Sha256 {
-			hashAlgorithm = common.Sha256
+		hashAlgorithm := common.Sha256
+		if dsHashAlgo == common.Sha1 {
+			hashAlgorithm = common.Sha1
 		}
 
 		msgPrinter.Printf("Digital sign with %s will be performed for data integrity. It will delay the MMS object publish.\n", hashAlgorithm)
@@ -574,7 +570,7 @@ func SignObjData(objData io.Reader, dsHashAlgo string, dsHash string, privKeyFil
 		msgPrinter.Printf("Start hashing the file...")
 		msgPrinter.Println()
 
-		if fileHash, err = GetHash(dsHashAlgo); err != nil {
+		if fileHash, err = cutil.GetHash(dsHashAlgo); err != nil {
 			return "", "", err
 		} else if _, err = io.Copy(fileHash, objData); err != nil {
 			return "", "", err
@@ -600,7 +596,7 @@ func SignObjData(objData io.Reader, dsHashAlgo string, dsHash string, privKeyFil
 
 	if publicKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey); err != nil {
 		return "", "", err
-	} else if cryptoHash, err := GetCryptoHashType(dsHashAlgo); err != nil {
+	} else if cryptoHash, err := cutil.GetCryptoHashType(dsHashAlgo); err != nil {
 		return "", "", err
 	} else if signature, err := rsa.SignPSS(rand.Reader, privateKey, cryptoHash, fileHashSum, nil); err != nil {
 		return "", "", err
@@ -612,33 +608,6 @@ func SignObjData(objData io.Reader, dsHashAlgo string, dsHash string, privKeyFil
 	}
 }
 
-func GetHash(hashAlgo string) (hash.Hash, error) {
-	// get message printer
-	msgPrinter := i18n.GetMessagePrinter()
-
-	if hashAlgo == common.Sha1 {
-		return sha1.New(), nil
-	} else if hashAlgo == common.Sha256 {
-		return sha256.New(), nil
-	} else {
-		return nil, errors.New(msgPrinter.Sprintf("Hash algorithm %s is not supported", hashAlgo))
-	}
-
-}
-
-func GetCryptoHashType(hashAlgo string) (crypto.Hash, error) {
-	// get message printer
-	msgPrinter := i18n.GetMessagePrinter()
-
-	if hashAlgo == common.Sha1 {
-		return crypto.SHA1, nil
-	} else if hashAlgo == common.Sha256 {
-		return crypto.SHA256, nil
-	} else {
-		return 0, errors.New(msgPrinter.Sprintf("Hash algorithm %s is not supported", hashAlgo))
-	}
-}
-
 func uploadDataByChunk(mmsUrl string, creds string, chunkSize int, file *os.File) {
 	// get message printer
 	msgPrinter := i18n.GetMessagePrinter()
@@ -668,7 +637,6 @@ func uploadDataByChunk(mmsUrl string, creds string, chunkSize int, file *os.File
 
 	var endOffset int64
 	var dataLength int64
-	var mmsOwnerID string
 	retryCount := 0
 	for int64(startOffset) < fileInfo.Size() {
 		dataLength = int64(chunkSize)
@@ -697,7 +665,7 @@ func uploadDataByChunk(mmsUrl string, creds string, chunkSize int, file *os.File
 			msgPrinter.Printf("\r")
 		}
 
-		makeHeaderMap(headers, startOffset, endOffset, fileInfo.Size(), dataLength, mmsOwnerID, creds)
+		makeHeaderMap(headers, startOffset, endOffset, fileInfo.Size(), dataLength, creds)
 		resp, err := makeChunkUploadRequest(httpClient, mmsUrl, headers, chunkData, closeRequest)
 
 		// In order for HTTP client connection to be re-used, the response body must be fully read. Do it here
@@ -758,7 +726,7 @@ func makeChunkUploadRequest(httpClient *http.Client, mmsUrl string, headers map[
 	return httpClient.Do(req)
 }
 
-func makeHeaderMap(headers map[string]string, startOffset int64, endOffset int64, fileSize int64, dataLength int64, mmsOwnerID string, creds string) {
+func makeHeaderMap(headers map[string]string, startOffset int64, endOffset int64, fileSize int64, dataLength int64, creds string) {
 	headers["Content-Range"] = fmt.Sprintf("bytes %d-%d/%d", startOffset, endOffset, fileSize)
 	headers["Content-Length"] = strconv.FormatInt(dataLength, 10)
 	headers["Authorization"] = fmt.Sprintf("Basic %v", base64.StdEncoding.EncodeToString([]byte(creds)))

diff --git a/test/gov/sync_service_test.sh b/test/gov/sync_service_test.sh
@@ -267,7 +267,7 @@ fi
 # Test object publish with --hash and -a
 echo "Testing object publish with --hash and -a flags"
 SHA1_HASH=$(sha1sum /tmp/data-small.txt | awk '{print $1;}')
-hzn mms object publish -m /tmp/meta.json -f /tmp/data-small.txt --hash $SHA1_HASH >/dev/null
+hzn mms object publish -m /tmp/meta.json -f /tmp/data-small.txt --hash $SHA1_HASH -a SHA1 >/dev/null
 RC=$?
 if [ $RC -ne 0 ]
 then
@@ -290,7 +290,7 @@ fi
 # Test object publish signing with SHA256
 echo "Testing object publish signing with SHA256"
 SHA256_HASH=$(sha256sum /tmp/data-small.txt | awk '{print $1;}')
-hzn mms object publish -m /tmp/meta.json -f /tmp/data-small.txt --hash $SHA256_HASH -a SHA256 >/dev/null
+hzn mms object publish -m /tmp/meta.json -f /tmp/data-small.txt --hash $SHA256_HASH >/dev/null
 RC=$?
 if [ $RC -ne 0 ]
 then