Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to the Web Crypto API for generating SHA checksums #21522

Merged
merged 1 commit into from
Jan 16, 2025
Merged

Switch to the Web Crypto API for generating SHA checksums #21522

merged 1 commit into from
Jan 16, 2025

Conversation

jelly
Copy link
Member

@jelly jelly commented Jan 15, 2025

This allows us to drop the two pure JavaScript implementations of SHA-1 and SHA-256. These native Web Crypto API is available as baseline and allows us to easily switch over to SHA-512 without adding a new dependency.

@jelly jelly requested a review from martinpitt January 15, 2025 16:44
@martinpitt
Copy link
Member

This looks good, thanks! Did you check that the computed checksums are the same before and after? (Do our tests validate that and compare to some CLI output?) Can you please refresh/fix the node_modules build?

@jelly jelly force-pushed the native-sha-hashing branch from a2e795c to 7c486bf Compare January 16, 2025 08:19
@jelly
Copy link
Member Author

jelly commented Jan 16, 2025

For development I basically did a sit() in TestStorageNBDE as that's the easiest to get tang and everything setup.

So on Fedora it defaults to SHA-256 and this is validated by getting the hash from tang-show-keys. On RHEL 8 or 9 this might still default to SHA-1.

So one of them is tested in CI, tang-show-keys is a simple bash script which parses the JWT token (like we do in JS). But you can't override if you want SHA1 or SHA-256.

                b.wait_in_text("#dialog", "Check the key hash with the Tang server")
                b.wait_in_text("#dialog", tang_m.execute("tang-show-keys").strip())
                testlib.sit()

@jelly
Switch to the Web Crypto API for generating SHA checksums
d576a10 
This allows us to drop the two pure JavaScript implementations of SHA-1
and SHA-256. These native Web Crypto API is available as baseline and allows us to
easily switch over to SHA-512 without adding a new dependency.
@jelly jelly force-pushed the native-sha-hashing branch from 7c486bf to d576a10 Compare January 16, 2025 08:40
martinpitt
martinpitt approved these changes Jan 16, 2025
View reviewed changes
Copy link
Member

@martinpitt martinpitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eeexcellent, dankjewel!

cockpituous
cockpituous reviewed Jan 16, 2025
View reviewed changes
pkg/storaged/crypto/tang.jsx
Comment on lines +98 to +99
} catch (err) {
console.warn("Unable to create a sha256 hash", err);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 2 added lines are not executed by any test.

pkg/storaged/crypto/tang.jsx
Comment on lines +105 to +106
} catch (err) {
console.warn("Unable to create a sha1 hash", err);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 2 added lines are not executed by any test.

@martinpitt martinpitt merged commit b6c323c into cockpit-project:main Jan 16, 2025
86 of 87 checks passed
@jelly jelly deleted the native-sha-hashing branch January 16, 2025 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cockpituous cockpituous cockpituous left review comments

@martinpitt martinpitt martinpitt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jelly @martinpitt @cockpituous