Add DigestSet hex encoding validation

Signed-off-by: Marcela Melara <[email protected]>
in-toto · Apr 4, 2024 · 7e1b9d7 · 7e1b9d7
1 parent ad3ec5f
commit 7e1b9d7
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/go/v1/resource_descriptor.go b/go/v1/resource_descriptor.go
@@ -4,15 +4,33 @@ Wrapper APIs for in-toto attestation ResourceDescriptor protos.
 
 package v1
 
-import "errors"
+import (
+	"encoding/hex"
+	"errors"
+)
 
-var ErrRDRequiredField = errors.New("at least one of name, URI, or digest are required")
+var (
+	ErrInvalidDigestEncoding = errors.New("digest is not valid hex-encoded string")
+	ErrRDRequiredField       = errors.New("at least one of name, URI, or digest are required")
+)
 
 func (d *ResourceDescriptor) Validate() error {
 	// at least one of name, URI or digest are required
 	if d.GetName() == "" && d.GetUri() == "" && len(d.GetDigest()) == 0 {
 		return ErrRDRequiredField
 	}
 
+	// the in-toto spec expects a hex-encoded string in DigestSets
+	// https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md
+	if len(d.GetDigest()) > 0 {
+		for _, digest := range d.GetDigest() {
+			_, err := hex.DecodeString(digest)
+
+			if err != nil {
+				return ErrInvalidDigestEncoding
+			}
+		}
+	}
+
 	return nil
 }
diff --git a/go/v1/resource_descriptor_test.go b/go/v1/resource_descriptor_test.go
@@ -17,6 +17,8 @@ const wantFullRd = `{"name":"theName","uri":"https://example.com","digest":{"alg
 
 const badRd = `{"downloadLocation":"https://example.com/test.zip","mediaType":"theMediaType"}`
 
+const badRdDigest = `{"digest":{"alg1":"badDigest"},"downloadLocation":"https://example.com/test.zip","mediaType":"theMediaType"}`
+
 func createTestResourceDescriptor() (*ResourceDescriptor, error) {
 	// Create a ResourceDescriptor
 	a, err := structpb.NewStruct(map[string]interface{}{
@@ -65,3 +67,13 @@ func TestBadResourceDescriptor(t *testing.T) {
 	err = got.Validate()
 	assert.ErrorIs(t, err, ErrRDRequiredField, "created malformed ResourceDescriptor")
 }
+
+func TestBadResourceDescriptorDigest(t *testing.T) {
+	got := &ResourceDescriptor{}
+	err := protojson.Unmarshal([]byte(badRdDigest), got)
+
+	assert.NoError(t, err, "Error during JSON unmarshalling")
+
+	err = got.Validate()
+	assert.ErrorIs(t, err, ErrInvalidDigestEncoding, "created ResourceDescriptor with invalid digest encoding")
+}