fix: update sha1 to sha256 and other chores (notaryproject#665)

Fixes: notaryproject#611 and notaryproject#635 Signed-off-by: Pritesh Bandi <[email protected]>
Wwwsylvia · May 16, 2023 · b10950d · b10950d
1 parent 13aff50
commit b10950d
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 37 deletions.
diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go
@@ -1,7 +1,7 @@
 package main
 
 import (
-	"crypto/sha1"
+	"crypto/sha256"
 	b64 "encoding/base64"
 	"encoding/hex"
 	"errors"
@@ -48,10 +48,10 @@ type signatureOutput struct {
 }
 
 type certificateOutput struct {
-	SHA1Fingerprint string `json:"SHA1Fingerprint"`
-	IssuedTo        string `json:"issuedTo"`
-	IssuedBy        string `json:"issuedBy"`
-	Expiry          string `json:"expiry"`
+	SHA256Fingerprint string `json:"SHA256Fingerprint"`
+	IssuedTo          string `json:"issuedTo"`
+	IssuedBy          string `json:"issuedBy"`
+	Expiry            string `json:"expiry"`
 }
 
 func inspectCommand(opts *inspectOpts) *cobra.Command {
@@ -201,7 +201,10 @@ func getSignedAttributes(outputFormat string, envContent *signature.EnvelopeCont
 	signedAttributes := map[string]string{
 		"signingScheme": string(envContent.SignerInfo.SignedAttributes.SigningScheme),
 		"signingTime":   formatTimestamp(outputFormat, envContent.SignerInfo.SignedAttributes.SigningTime),
-		"expiry":        formatTimestamp(outputFormat, envContent.SignerInfo.SignedAttributes.Expiry),
+	}
+	expiry := envContent.SignerInfo.SignedAttributes.Expiry
+	if !expiry.IsZero() {
+		signedAttributes["expiry"] = formatTimestamp(outputFormat, expiry)
 	}
 
 	for _, attribute := range envContent.SignerInfo.SignedAttributes.ExtendedAttributes {
@@ -238,14 +241,14 @@ func getCertificates(outputFormat string, envContent *signature.EnvelopeContent)
 	certificates := []certificateOutput{}
 
 	for _, cert := range envContent.SignerInfo.CertificateChain {
-		h := sha1.Sum(cert.Raw)
+		h := sha256.Sum256(cert.Raw)
 		fingerprint := strings.ToLower(hex.EncodeToString(h[:]))
 
 		certificate := certificateOutput{
-			SHA1Fingerprint: fingerprint,
-			IssuedTo:        cert.Subject.String(),
-			IssuedBy:        cert.Issuer.String(),
-			Expiry:          formatTimestamp(outputFormat, cert.NotAfter),
+			SHA256Fingerprint: fingerprint,
+			IssuedTo:          cert.Subject.String(),
+			IssuedBy:          cert.Issuer.String(),
+			Expiry:            formatTimestamp(outputFormat, cert.NotAfter),
 		}
 
 		certificates = append(certificates, certificate)
@@ -284,7 +287,7 @@ func printOutput(outputFormat string, ref string, output inspectOutput) error {
 
 		certListNode := sigNode.Add("certificates")
 		for _, cert := range signature.Certificates {
-			certNode := certListNode.AddPair("SHA1 fingerprint", cert.SHA1Fingerprint)
+			certNode := certListNode.AddPair("SHA256 fingerprint", cert.SHA256Fingerprint)
 			certNode.AddPair("issued to", cert.IssuedTo)
 			certNode.AddPair("issued by", cert.IssuedBy)
 			certNode.AddPair("expiry", cert.Expiry)

diff --git a/cmd/notation/internal/truststore/truststore.go b/cmd/notation/internal/truststore/truststore.go
@@ -1,7 +1,7 @@
 package truststore
 
 import (
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
@@ -121,8 +121,8 @@ func showCert(cert *x509.Certificate) {
 	fmt.Println("Valid to:", cert.NotAfter)
 	fmt.Println("IsCA:", cert.IsCA)
 
-	h := sha1.Sum(cert.Raw)
-	fmt.Println("SHA1 Thumbprint:", strings.ToLower(hex.EncodeToString(h[:])))
+	h := sha256.Sum256(cert.Raw)
+	fmt.Println("SHA256 Thumbprint:", strings.ToLower(hex.EncodeToString(h[:])))
 }
 
 // DeleteAllCerts deletes all certificate files from the trust store

diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md
@@ -31,7 +31,7 @@ Inspect all signatures associated with the signed artifact.
 
 Usage:
     notation inspect [flags] <reference>
-  
+
 Flags:
       --allow-referrers-api   [Experimental] use the Referrers API to inspect signatures, if not supported (returns 404), fallback to the Referrers tag schema
   -d, --debug                 debug mode
@@ -71,22 +71,22 @@ localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac4efe37a5380ee
     │   │   ├── signing scheme: notary.default.x509
     │   │   ├── signing time: Fri Jun 23 22:04:01 2023
     │   │   ├── expiry: Sat Jun 29 22:04:01 2024
-    │   │   └── io.cncf.notary.verificationPlugin: com.example.nv2plugin    //extended attributes 
+    │   │   └── io.cncf.notary.verificationPlugin: com.example.nv2plugin    //extended attributes
     │   ├── user defined attributes
     │   │   └── io.wabbit-networks.buildId: 123                             //user defined metadata
     │   ├── unsigned attributes
-    │   │   ├── io.cncf.notary.timestampSignature: <Base64(TimeStampToken)> //TSA response 
+    │   │   ├── io.cncf.notary.timestampSignature: <Base64(TimeStampToken)> //TSA response
     │   │   └── io.cncf.notary.signingAgent: notation/1.0.0                 //client version
     │   ├── certificates
-    │   │   ├── SHA1 fingerprint: E8C15B4C98AD91E051EE5AF5F524A8729050B2A
+    │   │   ├── SHA256 fingerprint: E8C15B4C98AD91E051EE5AF5F524A8729050B2A
     │   │   │   ├── issued to: wabbit-com Software
     │   │   │   ├── issued by: wabbit-com Software Root Certificate Authority
     │   │   │   └── expiry: Sun Jul 06 20:50:17 2025
-    │   │   ├── SHA1 fingerprint: 5DCC2147712B3C555B1C96CFCC00215403TF044D
+    │   │   ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89
     │   │   │   ├── issued to: wabbit-com Software Code Signing PCA
     │   │   │   ├── issued by: wabbit-com Software Root Certificate Authority
     │   │   │   └── expiry: Sun Jul 06 20:50:17 2025
-    │   │   └── SHA1 fingerprint: 1GYA3107712B3C886B1C96AAEC89984914DC0A5A
+    │   │   └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536
     │   │       ├── issued to: wabbit-com Software Root Certificate Authority
     │   │       ├── issued by: wabbit-com Software Root Certificate Authority
     │   │       └── expiry: Sat Jun 23 22:04:01 2035
@@ -106,19 +106,19 @@ localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac4efe37a5380ee
         │   ├── io.cncf.notary.timestampSignature: <Base64(TimeStampToken)>
         │   └── io.cncf.notary.signingAgent: notation/1.0.0
         ├── certificates
-        │   ├── SHA1 fingerprint: 68C15B4C98AD91E051EE5AF5F524A8729040B1D
+        │   ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d
         │   │   ├── issued to: wabbit-com Software
         │   │   ├── issued by: wabbit-com Software Root Certificate Authority
         │   │   └── expiry: Sun Jul 06 20:50:17 2025
-        │   ├── SHA1 fingerprint: 4ACC2147712B3C555B1C96CFCC00215403TE011C
+        │   ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89
         │   │   ├── issued to: wabbit-com Software Code Signing PCA 2010
         │   │   ├── issued by: wabbit-com Software Root Certificate Authority
         │   │   └── expiry: Sun Jul 06 20:50:17 2025
-        │   └── SHA1 fingerprint: A4YA1205512B3C886B1C96AAEC89984914DC012A
+        │   └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536
         │       ├── issued to: wabbit-com Software Root Certificate Authority
         │       ├── issued by: wabbit-com Software Root Certificate Authority
         │       └── expiry: Sat Jun 23 22:04:01 2035
-        └── signed artifact 
+        └── signed artifact
             ├── media type: application/vnd.oci.image.manifest.v1+json
             ├── digest: sha256:b94d27b9934d3e08a52e52d7da7fac484efe37a5380ee9088f7ace2efcde9
             └── size: 16724
@@ -157,15 +157,15 @@ localhost:5000/net-monitor@sha256:ca5427b5567d3e06a72e52d7da7dabfac484efe37a5380
     │   │   ├── io.cncf.notary.timestampSignature: <Base64(TimeStampToken)>
     │   │   └── io.cncf.notary.signingAgent: notation/1.0.0
     │   ├── certificates
-    │   │   ├── SHA1 fingerprint: E8C15B4C98AD91E051EE5AF5F524A8729050B2A
+    │   │   ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d
     │   │   │   ├── issued to: wabbit-com Software
     │   │   │   ├── issued by: wabbit-com Software Root Certificate Authority
     │   │   │   └── expiry: Sun Jul 06 20:50:17 2025
-    │   │   ├── SHA1 fingerprint: 5DCC2147712B3C555B1C96CFCC00215403TF044D
+    │   │   ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89
     │   │   │   ├── issued to: wabbit-com Software Code Signing PCA
     │   │   │   ├── issued by: wabbit-com Software Root Certificate Authority
     │   │   │   └── expiry: Sun Jul 06 20:50:17 2025
-    │   │   └── SHA1 fingerprint: 1GYA3107712B3C886B1C96AAEC89984914DC0A5A
+    │   │   └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536
     │   │       ├── issued to: wabbit-com Software Root Certificate Authority
     │   │       ├── issued by: wabbit-com Software Root Certificate Authority
     │   │       └── expiry: Sat Jun 23 22:04:01 2035
@@ -185,15 +185,15 @@ localhost:5000/net-monitor@sha256:ca5427b5567d3e06a72e52d7da7dabfac484efe37a5380
         │   ├── io.cncf.notary.timestampSignature: <Base64(TimeStampToken)>
         │   └── io.cncf.notary.signingAgent: notation/1.0.0
         ├── certificates
-        │   ├── SHA1 fingerprint: 68C15B4C98AD91E051EE5AF5F524A8729040B1D
+        │   ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d
         │   │   ├── issued to: wabbit-com Software
         │   │   ├── issued by: wabbit-com Software Root Certificate Authority
         │   │   └── expiry: Sun Jul 06 20:50:17 2025
-        │   ├── SHA1 fingerprint: 4ACC2147712B3C555B1C96CFCC00215403TE011C
+        │   ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89
         │   │   ├── issued to: wabbit-com Software Code Signing PCA
         │   │   ├── issued by: wabbit-com Software Root Certificate Authority
         │   │   └── expiry: Sun Jul 06 20:50:17 2025
-        │   └── SHA1 fingerprint: A4YA1205512B3C886B1C96AAEC89984914DC012A
+        │   └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536
         │       ├── issued to: wabbit-com Software Root Certificate Authority
         │       ├── issued by: wabbit-com Software Root Certificate Authority
         │       └── expiry: Sat Jun 23 22:04:01 2035
@@ -232,19 +232,19 @@ An example output:
       },
       "certificates": [
         {
-          "SHA1Fingerprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A",
+          "SHA256Fingerprint": "b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d",
           "issuedTo": "wabbit-com Software",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2025-07-06T20:50:17Z"
         },
         {
-          "SHA1Fingerprint": "5DCC2147712B3C555B1C96CFCC00215403TF044D",
+          "SHA256Fingerprint": "4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89",
           "issuedTo": "wabbit-com Software Code Signing PCA",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2025-07-06T20:50:17Z"
         },
         {
-          "SHA1Fingerprint": "1GYA3107712B3C886B1C96AAEC89984914DC0A5A",
+          "SHA256Fingerprint": "ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536",
           "issuedTo": "wabbit-com Software Root Certificate Authority",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2035-07-06T20:50:17Z"
@@ -272,19 +272,19 @@ An example output:
       },
       "certificates": [
         {
-          "SHA1Fingerprint": "68C15B4C98AD91E051EE5AF5F524A8729040B1D",
+          "SHA256Fingerprint": "b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d",
           "issuedTo": "wabbit-com Software",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2025-07-06T20:50:17Z"
         },
         {
-          "SHA1Fingerprint": "4ACC2147712B3C555B1C96CFCC00215403TE011C",
+          "SHA256Fingerprint": "4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89",
           "issuedTo": "wabbit-com Software Code Signing PCA",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2025-07-06T20:50:17Z"
         },
         {
-          "SHA1Fingerprint": "A4YA1205512B3C886B1C96AAEC89984914DC012A",
+          "SHA256Fingerprint": "ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536",
           "issuedTo": "wabbit-com Software Root Certificate Authority",
           "issuedBy": "wabbit-com Software Root Certificate Authority",
           "expiry": "2035-07-06T20:50:17Z"