From 2c3ef2e0b26063320798f72275bbae315c8a56ff Mon Sep 17 00:00:00 2001 From: Adam Hughes <9903835+tri-adam@users.noreply.github.com> Date: Wed, 28 Sep 2022 14:42:20 +0000 Subject: [PATCH 1/2] fix: verify PGP hash algorithms Explicitly verify the signature hash algorithm used when signing/verifying OpenPGP signatures. Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> --- pkg/integrity/clearsign.go | 34 ++++++++++++++++-- pkg/integrity/clearsign_test.go | 17 ++++++--- pkg/integrity/sign_test.go | 16 ++++++++- .../SignatureConfigSHA224.golden | Bin 0 -> 33100 bytes .../TestSignAndEncodeJSON/SHA1.golden | 15 -------- 5 files changed, 60 insertions(+), 22 deletions(-) create mode 100644 pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA224.golden delete mode 100644 pkg/integrity/testdata/TestSignAndEncodeJSON/SHA1.golden diff --git a/pkg/integrity/clearsign.go b/pkg/integrity/clearsign.go index 5fcc6e92..1c057d10 100644 --- a/pkg/integrity/clearsign.go +++ b/pkg/integrity/clearsign.go @@ -2,7 +2,7 @@ // Apptainer a Series of LF Projects LLC. // For website terms of use, trademark policy, privacy policy and other // project policies see https://lfprojects.org/policies -// Copyright (c) 2020, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -11,6 +11,7 @@ package integrity import ( "bytes" + "crypto" "encoding/json" "errors" "io" @@ -22,9 +23,32 @@ import ( var errClearsignedMsgNotFound = errors.New("clearsigned message not found") +// Hash functions specified for OpenPGP in RFC4880, excluding those that are not currently +// recommended by NIST. +var supportedPGPAlgorithms = []crypto.Hash{ + crypto.SHA224, + crypto.SHA256, + crypto.SHA384, + crypto.SHA512, +} + +// hashAlgorithmSupported returns whether h is a supported PGP hash function. +func hashAlgorithmSupported(h crypto.Hash) bool { + for _, alg := range supportedPGPAlgorithms { + if alg == h { + return true + } + } + return false +} + // signAndEncodeJSON encodes v, clear-signs it with privateKey, and writes it to w. If config is // nil, sensible defaults are used. func signAndEncodeJSON(w io.Writer, v interface{}, privateKey *packet.PrivateKey, config *packet.Config) error { + if !hashAlgorithmSupported(config.Hash()) { + return errHashUnsupported + } + // Get clearsign encoder. plaintext, err := clearsign.Encode(w, privateKey, config) if err != nil { @@ -63,7 +87,13 @@ func verifyAndDecode(data []byte, kr openpgp.KeyRing) (*openpgp.Entity, []byte, } // Check signature. - e, err := openpgp.CheckDetachedSignature(kr, bytes.NewReader(b.Bytes), b.ArmoredSignature.Body, nil) + e, err := openpgp.CheckDetachedSignatureAndHash( + kr, + bytes.NewReader(b.Bytes), + b.ArmoredSignature.Body, + supportedPGPAlgorithms, + nil, + ) return e, b.Plaintext, rest, err } diff --git a/pkg/integrity/clearsign_test.go b/pkg/integrity/clearsign_test.go index 21783cae..d73245da 100644 --- a/pkg/integrity/clearsign_test.go +++ b/pkg/integrity/clearsign_test.go @@ -2,7 +2,7 @@ // Apptainer a Series of LF Projects LLC. // For website terms of use, trademark policy, privacy policy and other // project policies see https://lfprojects.org/policies -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -13,6 +13,7 @@ import ( "bufio" "bytes" "crypto" + "encoding/json" "errors" "io" "reflect" @@ -20,6 +21,7 @@ import ( "testing" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/clearsign" pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors" "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/sebdah/goldie/v2" @@ -45,7 +47,7 @@ func TestSignAndEncodeJSON(t *testing.T) { }{ {name: "EncryptedKey", key: &encryptedKey, wantErr: true}, {name: "DefaultHash", key: e.PrivateKey}, - {name: "SHA1", key: e.PrivateKey, hash: crypto.SHA1}, + {name: "SHA1", key: e.PrivateKey, hash: crypto.SHA1, wantErr: true}, {name: "SHA224", key: e.PrivateKey, hash: crypto.SHA224}, {name: "SHA256", key: e.PrivateKey, hash: crypto.SHA256}, {name: "SHA384", key: e.PrivateKey, hash: crypto.SHA384}, @@ -125,7 +127,7 @@ func TestVerifyAndDecodeJSON(t *testing.T) { {name: "CorruptedSignature", el: openpgp.EntityList{e}, corrupter: corruptSignature}, {name: "VerifyOnly", el: openpgp.EntityList{e}, wantEntity: e}, {name: "DefaultHash", el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, - {name: "SHA1", hash: crypto.SHA1, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, + {name: "SHA1", hash: crypto.SHA1, el: openpgp.EntityList{e}, wantErr: pgperrors.StructuralError("hash algorithm mismatch with cleartext message headers")}, //nolint:lll {name: "SHA224", hash: crypto.SHA224, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, {name: "SHA256", hash: crypto.SHA256, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, {name: "SHA384", hash: crypto.SHA384, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, @@ -140,10 +142,17 @@ func TestVerifyAndDecodeJSON(t *testing.T) { config := packet.Config{ DefaultHash: tt.hash, } - err := signAndEncodeJSON(&b, testValue, e.PrivateKey, &config) + + // Manually sign and encode rather than calling signAndEncodeJSON, since we want to + // test unsupported hash algorithms. + plaintext, err := clearsign.Encode(&b, e.PrivateKey, &config) if err != nil { t.Fatal(err) } + if err := json.NewEncoder(plaintext).Encode(testValue); err != nil { + t.Fatal(err) + } + plaintext.Close() // Introduce corruption, if applicable. if tt.corrupter != nil { diff --git a/pkg/integrity/sign_test.go b/pkg/integrity/sign_test.go index 95b143ae..6826b89b 100644 --- a/pkg/integrity/sign_test.go +++ b/pkg/integrity/sign_test.go @@ -2,7 +2,7 @@ // Apptainer a Series of LF Projects LLC. // For website terms of use, trademark policy, privacy policy and other // project policies see https://lfprojects.org/policies -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -322,6 +322,20 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { }, e: e, }, + { + name: "SignatureConfigSHA224", + gs: groupSigner{ + f: twoGroups, + id: 1, + ods: []sif.Descriptor{d1, d2}, + mdHash: crypto.SHA1, + sigConfig: &packet.Config{ + DefaultHash: crypto.SHA224, + Time: fixedTime, + }, + }, + e: e, + }, { name: "SignatureConfigSHA256", gs: groupSigner{ diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA224.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA224.golden new file mode 100644 index 0000000000000000000000000000000000000000..150bd9a122e7630a03c6127430435d9056c3a02d GIT binary patch literal 33100 zcmeI#&u-&H90%~MSPmEtE1sb8g+sfF|BmfQm9P`X&EKX@(zFGH#$!(sH-GKaPEu8S z*#ie2ffG-#XP$y5;0-{_iDL=06m4NSth5*Ooy$)e|7PYlpPzh~LgBwhw^seSWqY-9 zL6QrS^v~pvX5ajJdwW~BkH!0phs8 z_REXket7u~+h7RN}!uh!n{c%8j&&1<`ry_VbU+MfI8N8yO3qtagY$W|0h5U#~6O49LsCYIy_ zaTL)oO2pE&7>KwU|T`x*BIuEfh=Affz<9OU8@UJgK~~y{t)u%G6?pPE}RmOqW<->as;G zYH*7yx+-g?6p4TB{%E-_Yb3A&u5p>`yOOwU5UN^cXflmUsvQJc5=AvaQ#AvsNX%4pMi`|UGfZ96-ck||b%jtK24O@EX6}~DOjUQc2&72b z&2p*-)UddC^VN;;FHN(1egD2+LY_KX$9A1^ZqJ;P`b8p@{qjY5Tq*M_UW~}dIUhMr z%{{B-P1o+74BC3rptV+gUoTq5(iLpmF{U}Uj^bk?U5#?Go?XssQ~A7+C!J+n*Me%ND2Zut#g=U=y39KjkaQ Xj_kuj;ZW)^e%DL4U3vKZ{_f=Oszyh_ literal 0 HcmV?d00001 diff --git a/pkg/integrity/testdata/TestSignAndEncodeJSON/SHA1.golden b/pkg/integrity/testdata/TestSignAndEncodeJSON/SHA1.golden deleted file mode 100644 index a7cc90a3..00000000 --- a/pkg/integrity/testdata/TestSignAndEncodeJSON/SHA1.golden +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -{"One":1,"Two":2} ------BEGIN PGP SIGNATURE----- - -wsBzBAEBAgAnBQJZr0CRCZCiDCfuf/e6hBYhBBIEXIwLEATQWN5L7aIMJ+5/97qE -AACQnAf/XWNnfBZfoOffU9YBG4JIGbo1fBuO0NbxlP22zpiS9NM2CViTHmpmqe7K -9d53CXsHrpQB1Oc+h5c5QsWjOl3girXO8du9833lygsFGjK3Q9mc0cfrXoEMOw+N -B0hMq/JxQVOfdBn0Z5YF6Sfkjkifhm36GpNB8I3QmuIu3kd2nIfa6WLo7h4txKFU -0ZPxRZ8IWFTTBEhWwSUrR30cOr5PvQfu0oTZ7xxkeUPudmxNXBad6uunyXyBkhmq -m0fMZyCbPeRc5gvUsAnxSDAKU5Ryj6GIUBpBv7c3AXwfusO4HAaOQi+BZDTjMVBF -AXJc73L0mvJvX9dOEnmd6D7xylclHQ== -=BpCt ------END PGP SIGNATURE----- \ No newline at end of file From 0b6868ff35f2661536027104b0d1401bfa64ef66 Mon Sep 17 00:00:00 2001 From: Adam Hughes <9903835+tri-adam@users.noreply.github.com> Date: Wed, 28 Sep 2022 14:42:48 +0000 Subject: [PATCH 2/2] fix: updated supported digest hash functions Remove SHA1 as per NIST recommendation. Add SHA512_224 and SHA512_256. update relevant unit tests. Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> --- pkg/integrity/digest.go | 20 +++--- pkg/integrity/digest_test.go | 64 +++++++++++++----- pkg/integrity/metadata_test.go | 26 ++++--- pkg/integrity/sign_test.go | 16 ++--- .../TestDigest_MarshalJSON/SHA1.golden | 1 - .../TestDigest_MarshalJSON/SHA512_224.golden | 1 + .../TestDigest_MarshalJSON/SHA512_256.golden | 1 + .../TestGetHeaderMetadata/SHA1.golden | 1 - .../TestGetHeaderMetadata/SHA512_224.golden | 1 + .../TestGetHeaderMetadata/SHA512_256.golden | 1 + .../TestGetImageMetadata/Object1.golden | 2 +- .../TestGetImageMetadata/Object2.golden | 2 +- .../testdata/TestGetImageMetadata/SHA1.golden | 1 - .../TestGetObjectMetadata/RelativeID.golden | 2 +- .../TestGetObjectMetadata/SHA1.golden | 1 - .../TestGetObjectMetadata/SHA512_224.golden | 1 + .../TestGetObjectMetadata/SHA512_256.golden | 1 + .../Group1.golden | Bin 33100 -> 33230 bytes .../Group2.golden | Bin 32953 -> 33031 bytes .../Object1.golden | Bin 32953 -> 33031 bytes .../Object2.golden | Bin 32953 -> 33031 bytes .../SignatureConfigSHA224.golden | Bin 33100 -> 33230 bytes .../SignatureConfigSHA256.golden | Bin 33100 -> 33230 bytes .../SignatureConfigSHA384.golden | Bin 33100 -> 33230 bytes .../SignatureConfigSHA512.golden | Bin 33100 -> 33230 bytes 25 files changed, 90 insertions(+), 52 deletions(-) delete mode 100644 pkg/integrity/testdata/TestDigest_MarshalJSON/SHA1.golden create mode 100644 pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_224.golden create mode 100644 pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_256.golden delete mode 100644 pkg/integrity/testdata/TestGetHeaderMetadata/SHA1.golden create mode 100644 pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_224.golden create mode 100644 pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_256.golden delete mode 100644 pkg/integrity/testdata/TestGetImageMetadata/SHA1.golden delete mode 100644 pkg/integrity/testdata/TestGetObjectMetadata/SHA1.golden create mode 100644 pkg/integrity/testdata/TestGetObjectMetadata/SHA512_224.golden create mode 100644 pkg/integrity/testdata/TestGetObjectMetadata/SHA512_256.golden diff --git a/pkg/integrity/digest.go b/pkg/integrity/digest.go index 42850053..93aaa918 100644 --- a/pkg/integrity/digest.go +++ b/pkg/integrity/digest.go @@ -26,12 +26,14 @@ var ( errDigestMalformed = errors.New("digest malformed") ) -var supportedAlgorithms = map[crypto.Hash]string{ - crypto.SHA1: "sha1", - crypto.SHA224: "sha224", - crypto.SHA256: "sha256", - crypto.SHA384: "sha384", - crypto.SHA512: "sha512", +// Hash functions supported for digests. +var supportedDigestAlgorithms = map[crypto.Hash]string{ + crypto.SHA224: "sha224", + crypto.SHA256: "sha256", + crypto.SHA384: "sha384", + crypto.SHA512: "sha512", + crypto.SHA512_224: "sha512_224", + crypto.SHA512_256: "sha512_256", } // hashValue calculates a digest by applying hash function h to the contents read from r. If h is @@ -56,7 +58,7 @@ type digest struct { // newDigest returns a new digest. If h is not supported, errHashUnsupported is returned. If digest // is malformed, errDigestMalformed is returned. func newDigest(h crypto.Hash, value []byte) (digest, error) { - if _, ok := supportedAlgorithms[h]; !ok { + if _, ok := supportedDigestAlgorithms[h]; !ok { return digest{}, errHashUnsupported } @@ -108,7 +110,7 @@ func (d digest) matches(r io.Reader) (bool, error) { // MarshalJSON marshals d into string of format "alg:value". func (d digest) MarshalJSON() ([]byte, error) { - n, ok := supportedAlgorithms[d.hash] + n, ok := supportedDigestAlgorithms[d.hash] if !ok { return nil, errHashUnsupported } @@ -134,7 +136,7 @@ func (d *digest) UnmarshalJSON(data []byte) error { return fmt.Errorf("%w: %v", errDigestMalformed, err) } - for h, n := range supportedAlgorithms { + for h, n := range supportedDigestAlgorithms { if n == name { digest, err := newDigest(h, v) if err != nil { diff --git a/pkg/integrity/digest_test.go b/pkg/integrity/digest_test.go index b5052608..930fe6c0 100644 --- a/pkg/integrity/digest_test.go +++ b/pkg/integrity/digest_test.go @@ -118,14 +118,14 @@ func TestDigest_MarshalJSON(t *testing.T) { wantErr error }{ { - name: "UnsupportedHash", + name: "HashUnsupportedMD5", hash: crypto.MD5, wantErr: errHashUnsupported, }, { - name: "SHA1", - hash: crypto.SHA1, - value: "597f6a540010f94c15d71806a99a2c8710e747bd", + name: "HashUnsupportedSHA1", + hash: crypto.SHA1, + wantErr: errHashUnsupported, }, { name: "SHA224", @@ -147,6 +147,16 @@ func TestDigest_MarshalJSON(t *testing.T) { hash: crypto.SHA512, value: "db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593", //nolint:lll }, + { + name: "SHA512_224", + hash: crypto.SHA512_224, + value: "06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c", + }, + { + name: "SHA512_256", + hash: crypto.SHA512_256, + value: "3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f", + }, } for _, tt := range tests { @@ -197,60 +207,80 @@ func TestDigest_UnmarshalJSON(t *testing.T) { wantErr: errDigestMalformed, }, { - name: "UnsupportedHash", + name: "HashUnsupportedMD5", r: strings.NewReader(`"md5:b0804ec967f48520697662a204f5fe72"`), wantErr: errHashUnsupported, }, + { + name: "HashUnsupportedSHA1", + r: strings.NewReader(`"sha1:597f6a540010f94c15d71806a99a2c8710e747bd"`), + wantErr: errHashUnsupported, + }, { name: "DigestMalformedNotHex", - r: strings.NewReader(`"sha1:oops"`), + r: strings.NewReader(`"sha256:oops"`), wantErr: errDigestMalformed, }, { name: "DigestMalformedIncorrectLen", - r: strings.NewReader(`"sha1:597f"`), + r: strings.NewReader(`"sha256:597f"`), wantErr: errDigestMalformed, }, - { - name: "SHA1", - r: strings.NewReader(`"sha1:597f6a540010f94c15d71806a99a2c8710e747bd"`), - wantHash: crypto.SHA1, - wantValue: "597f6a540010f94c15d71806a99a2c8710e747bd", - }, { name: "SHA224", r: strings.NewReader(`"sha224:95041dd60ab08c0bf5636d50be85fe9790300f39eb84602858a9b430"`), - wantHash: crypto.SHA1, + wantHash: crypto.SHA224, wantValue: "95041dd60ab08c0bf5636d50be85fe9790300f39eb84602858a9b430", }, { name: "SHA256", r: strings.NewReader(`"sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447"`), - wantHash: crypto.SHA1, + wantHash: crypto.SHA256, wantValue: "a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447", }, { name: "SHA384", r: strings.NewReader(`"sha384:6b3b69ff0a404f28d75e98a066d3fc64fffd9940870cc68bece28545b9a75086b343d7a1366838083e4b8f3ca6fd3c80"`), //nolint:lll - wantHash: crypto.SHA1, + wantHash: crypto.SHA384, wantValue: "6b3b69ff0a404f28d75e98a066d3fc64fffd9940870cc68bece28545b9a75086b343d7a1366838083e4b8f3ca6fd3c80", }, { name: "SHA512", r: strings.NewReader(`"sha512:db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593"`), //nolint:lll - wantHash: crypto.SHA1, + wantHash: crypto.SHA512, wantValue: "db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593", //nolint:lll }, + { + name: "SHA512_224", + r: strings.NewReader(`"sha512_224:06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c"`), + wantHash: crypto.SHA512_224, + wantValue: "06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c", + }, + { + name: "SHA512_256", + r: strings.NewReader(`"sha512_256:3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f"`), + wantHash: crypto.SHA512_256, + wantValue: "3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f", + }, } for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { var d digest + err := json.NewDecoder(tt.r).Decode(&d) if got, want := err, tt.wantErr; !errors.Is(got, want) { t.Fatalf("got error %v, want %v", got, want) } + + if got, want := d.hash, tt.wantHash; got != want { + t.Errorf("got hash %v, want %v", got, want) + } + + if got, want := hex.EncodeToString(d.value), tt.wantValue; got != want { + t.Errorf("got value %v, want %v", got, want) + } }) } } diff --git a/pkg/integrity/metadata_test.go b/pkg/integrity/metadata_test.go index 7fb5c6c7..29c329fe 100644 --- a/pkg/integrity/metadata_test.go +++ b/pkg/integrity/metadata_test.go @@ -2,7 +2,7 @@ // Apptainer a Series of LF Projects LLC. // For website terms of use, trademark policy, privacy policy and other // project policies see https://lfprojects.org/policies -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -39,12 +39,14 @@ func TestGetHeaderMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", header: bytes.NewReader(b), hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", header: bytes.NewReader(b), hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "SHA1", header: bytes.NewReader(b), hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", header: bytes.NewReader(b), hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", header: bytes.NewReader(b), hash: crypto.SHA1, wantErr: errHashUnsupported}, {name: "SHA224", header: bytes.NewReader(b), hash: crypto.SHA224}, {name: "SHA256", header: bytes.NewReader(b), hash: crypto.SHA256}, {name: "SHA384", header: bytes.NewReader(b), hash: crypto.SHA384}, {name: "SHA512", header: bytes.NewReader(b), hash: crypto.SHA512}, + {name: "SHA512_224", header: bytes.NewReader(b), hash: crypto.SHA512_224}, + {name: "SHA512_256", header: bytes.NewReader(b), hash: crypto.SHA512_256}, } for _, tt := range tests { @@ -92,13 +94,15 @@ func TestGetObjectMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", descr: bytes.NewReader(rid0), hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", descr: bytes.NewReader(rid0), hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "RelativeID", relativeID: 1, descr: bytes.NewReader(rid1), data: strings.NewReader("blah"), hash: crypto.SHA1}, - {name: "SHA1", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", descr: bytes.NewReader(rid0), hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", descr: bytes.NewReader(rid0), hash: crypto.SHA1, wantErr: errHashUnsupported}, + {name: "RelativeID", relativeID: 1, descr: bytes.NewReader(rid1), data: strings.NewReader("blah"), hash: crypto.SHA256}, //nolint:lll {name: "SHA224", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA224}, {name: "SHA256", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA256}, {name: "SHA384", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA384}, {name: "SHA512", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512}, + {name: "SHA512_224", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512_224}, + {name: "SHA512_256", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512_256}, } for _, tt := range tests { @@ -143,11 +147,11 @@ func TestGetImageMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "MinimumIDInvalid", minID: 2, ods: []sif.Descriptor{od1}, hash: crypto.SHA1, wantErr: errMinimumIDInvalid}, - {name: "Object1", minID: 1, ods: []sif.Descriptor{od1}, hash: crypto.SHA1}, - {name: "Object2", minID: 1, ods: []sif.Descriptor{od2}, hash: crypto.SHA1}, - {name: "SHA1", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", hash: crypto.SHA1, wantErr: errHashUnsupported}, + {name: "MinimumIDInvalid", minID: 2, ods: []sif.Descriptor{od1}, hash: crypto.SHA256, wantErr: errMinimumIDInvalid}, + {name: "Object1", minID: 1, ods: []sif.Descriptor{od1}, hash: crypto.SHA256}, + {name: "Object2", minID: 1, ods: []sif.Descriptor{od2}, hash: crypto.SHA256}, {name: "SHA224", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA224}, {name: "SHA256", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA256}, {name: "SHA384", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA384}, diff --git a/pkg/integrity/sign_test.go b/pkg/integrity/sign_test.go index 6826b89b..2295d84d 100644 --- a/pkg/integrity/sign_test.go +++ b/pkg/integrity/sign_test.go @@ -276,7 +276,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -289,7 +289,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -302,7 +302,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -315,7 +315,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 2, ods: []sif.Descriptor{d3}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -328,7 +328,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA224, Time: fixedTime, @@ -342,7 +342,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA256, Time: fixedTime, @@ -356,7 +356,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA384, Time: fixedTime, @@ -370,7 +370,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA512, Time: fixedTime, diff --git a/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA1.golden b/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA1.golden deleted file mode 100644 index c39798c4..00000000 --- a/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA1.golden +++ /dev/null @@ -1 +0,0 @@ -"sha1:597f6a540010f94c15d71806a99a2c8710e747bd" diff --git a/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_224.golden b/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_224.golden new file mode 100644 index 00000000..96aff7b2 --- /dev/null +++ b/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_224.golden @@ -0,0 +1 @@ +"sha512_224:06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c" diff --git a/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_256.golden b/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_256.golden new file mode 100644 index 00000000..c4a1fbc5 --- /dev/null +++ b/pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_256.golden @@ -0,0 +1 @@ +"sha512_256:3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f" diff --git a/pkg/integrity/testdata/TestGetHeaderMetadata/SHA1.golden b/pkg/integrity/testdata/TestGetHeaderMetadata/SHA1.golden deleted file mode 100644 index 51232cab..00000000 --- a/pkg/integrity/testdata/TestGetHeaderMetadata/SHA1.golden +++ /dev/null @@ -1 +0,0 @@ -{"digest":"sha1:bd6b562b49ff04470f641ad3c971822303049826"} diff --git a/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_224.golden b/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_224.golden new file mode 100644 index 00000000..98489110 --- /dev/null +++ b/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_224.golden @@ -0,0 +1 @@ +{"digest":"sha512_224:d5f9767e096056fcf381b801e2b0b80b33acdc09b7a7e3a1c504231e"} diff --git a/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_256.golden b/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_256.golden new file mode 100644 index 00000000..449166a2 --- /dev/null +++ b/pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_256.golden @@ -0,0 +1 @@ +{"digest":"sha512_256:eb199aeab4047ca6430890372769681045c20b1a0a4a78b595ab62dbdfc9285f"} diff --git a/pkg/integrity/testdata/TestGetImageMetadata/Object1.golden b/pkg/integrity/testdata/TestGetImageMetadata/Object1.golden index cbddd5d2..142d7f0f 100644 --- a/pkg/integrity/testdata/TestGetImageMetadata/Object1.golden +++ b/pkg/integrity/testdata/TestGetImageMetadata/Object1.golden @@ -1 +1 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":0,"descriptorDigest":"sha1:1406a1a9c75a332fc50cb8519a9a7f9f2531480e","objectDigest":"sha1:15146b9bf4f1f5f9bf176a398d8c4f0321c63064"}]} +{"version":1,"header":{"digest":"sha256:635fa0a14a8ef0c0351ed3e985799ed1d4f75ce973dea3cc76c99710795cc3f1"},"objects":[{"relativeId":0,"descriptorDigest":"sha256:3634ad01db0dd5482ecf685267b53d6201690438ca27c3d7ea91c971a1f41f92","objectDigest":"sha256:004dfc8da678c309de28b5386a1e9efd57f536b150c40d29b31506aa0fb17ec2"}]} diff --git a/pkg/integrity/testdata/TestGetImageMetadata/Object2.golden b/pkg/integrity/testdata/TestGetImageMetadata/Object2.golden index 181f464a..e130e643 100644 --- a/pkg/integrity/testdata/TestGetImageMetadata/Object2.golden +++ b/pkg/integrity/testdata/TestGetImageMetadata/Object2.golden @@ -1 +1 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":1,"descriptorDigest":"sha1:076d6ec6e32a6237d838ba20c825c6caa4c78544","objectDigest":"sha1:fd526afdbdea7c87d81c33314b0e0dbdfa5ba79f"}]} +{"version":1,"header":{"digest":"sha256:635fa0a14a8ef0c0351ed3e985799ed1d4f75ce973dea3cc76c99710795cc3f1"},"objects":[{"relativeId":1,"descriptorDigest":"sha256:04b5f87c9692a54f80d10fb6af00c779763aeca29d610348854bd97cd8bf66fd","objectDigest":"sha256:9f9c4e5e131934969b4ac8f495691c70b8c6c8e3f489c2c9ab5f1af82bce0604"}]} diff --git a/pkg/integrity/testdata/TestGetImageMetadata/SHA1.golden b/pkg/integrity/testdata/TestGetImageMetadata/SHA1.golden deleted file mode 100644 index a474a502..00000000 --- a/pkg/integrity/testdata/TestGetImageMetadata/SHA1.golden +++ /dev/null @@ -1 +0,0 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":0,"descriptorDigest":"sha1:1406a1a9c75a332fc50cb8519a9a7f9f2531480e","objectDigest":"sha1:15146b9bf4f1f5f9bf176a398d8c4f0321c63064"},{"relativeId":1,"descriptorDigest":"sha1:076d6ec6e32a6237d838ba20c825c6caa4c78544","objectDigest":"sha1:fd526afdbdea7c87d81c33314b0e0dbdfa5ba79f"}]} diff --git a/pkg/integrity/testdata/TestGetObjectMetadata/RelativeID.golden b/pkg/integrity/testdata/TestGetObjectMetadata/RelativeID.golden index dc7a4fcd..409c57df 100644 --- a/pkg/integrity/testdata/TestGetObjectMetadata/RelativeID.golden +++ b/pkg/integrity/testdata/TestGetObjectMetadata/RelativeID.golden @@ -1 +1 @@ -{"relativeId":1,"descriptorDigest":"sha1:f3681c97de35ea124cd2e3687ed62988c7138f3a","objectDigest":"sha1:5bf1fd927dfb8679496a2e6cf00cbe50c1c87145"} +{"relativeId":1,"descriptorDigest":"sha256:a1e6ca1d0cce1fbd71b186ac7a5c5a805c833ecc419a78d017558e79c0862790","objectDigest":"sha256:8b7df143d91c716ecfa5fc1730022f6b421b05cedee8fd52b1fc65a96030ad52"} diff --git a/pkg/integrity/testdata/TestGetObjectMetadata/SHA1.golden b/pkg/integrity/testdata/TestGetObjectMetadata/SHA1.golden deleted file mode 100644 index c1265fc4..00000000 --- a/pkg/integrity/testdata/TestGetObjectMetadata/SHA1.golden +++ /dev/null @@ -1 +0,0 @@ -{"relativeId":0,"descriptorDigest":"sha1:042874d3fd63a516c5abe45b221ed8db1e5cfd84","objectDigest":"sha1:5bf1fd927dfb8679496a2e6cf00cbe50c1c87145"} diff --git a/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_224.golden b/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_224.golden new file mode 100644 index 00000000..856a115c --- /dev/null +++ b/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_224.golden @@ -0,0 +1 @@ +{"relativeId":0,"descriptorDigest":"sha512_224:ba5b52f4337756f9efb0c7d35f16e0365ba5845b0dd9df5e9edfce3a","objectDigest":"sha512_224:b1d15ae18bb05265b44e9e0137f08078f53f5b239a78c49c2cfc2c9c"} diff --git a/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_256.golden b/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_256.golden new file mode 100644 index 00000000..3271f6da --- /dev/null +++ b/pkg/integrity/testdata/TestGetObjectMetadata/SHA512_256.golden @@ -0,0 +1 @@ +{"relativeId":0,"descriptorDigest":"sha512_256:aef151cf86aaab28a4e086c9e1f9d19c8f85e4eb794336d909a6844ce7fb52ef","objectDigest":"sha512_256:9a801762c512490303535d35c221e2dc1d24f5094d038041dc4303ba7ac04f0e"} diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group1.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group1.golden index 85d39dbb81a61b0b6c300772aabb63862d25c5d9..108a9dacc2331dcf25e11cade1a46c7413782966 100644 GIT binary patch delta 768 zcmX}nyKWOv5C&irQMn-v1rmyc=y2h4_S}(D*k0SQ9Xr0?D$aE`@olqq>|GbJ0Ersm zN8vSqcYr5h6(pt_jYi-6^W)Rmug_;+le3HG-+!NfdGYQ1Rqo>Xv!}{NZ_ocMeUH%h z6cHzZgjjOxfCh*_YmgP3Fd?jg20KQy6$}|Gk=BfAAs7Tq5Ur7er@|w7f)GVm8UT#~ z#t_Uss~zRUqf8NGs0Sbw03)uY$22m`N&$5yN$4vA!wZz2FYaTKg{yENU1tLCyq3O1hmn9Z(n2{rd5 zACA{0Ol+-NuWt&$EVpYcYCH;AdUIHUq*w9$#X9JXlwZs%t`6GRTDph^&i5a}QBaCo zQ3IAYyJQ^g8 zX{$+VghEmRy_9=Ni*#p&Ad1!Mt-{o`dW0%H75w>GW%rDd=8a<}MHF5S+lr G*M9*$`s#83 delta 712 zcmZ{hOK;Oa0EAJwpj_w`ajC+s1$o!|upOxfJ5J+AYSP$E+(;aD*IwuCq)8e(Qi%i- zXGE_37yJ#xe}G@Xfdk=jWsW0_zR}Fr_eWpe9epg09v*-GcKqS#r{iaphsTfp=wQ7# z{ysg0HJws}BBG_54k#y(GpP|N0G9^WrJ$OY5|Jce@4h8NSc4c)2ALr=!VprWAV6@P zK!X`flZI3Yf>;M>^<_2Zqg1TyVU{je)mn8qV23z?m~w+lETJR^goGMp$j}pAU&Qu_Dl?W;r!$Q*u#{Z$ogs7CsgeNJ}gno!a zfzY8K2PrtXk`c}{LsswK+*e-xmepvw!AZN>J_+6ZkKNVIw%eP`93_ei1EzJa11=)I zQLVcuO!I-C#w;1U9>C!Uqn+1VC$ zeXlbQZoR1n8gs>+C8n~ru~V+n8)piKPA{2Ey^>nHN)zRCWj2`9>xSJntZm#}USC94 zy>T`P=O90`EQpXNbHii{vk1pgq#|y@2NHl6xC>TjEKn!5FSbyN#|^FkU8jkd@@B;Vj*5zk3#k;jE)Z zv>7_0>yFV~J!^Np&01MP+;QVAE`UFr`klq%(uur^q0{*6RuQ65ihQ=rxD&Z+$BzP^ c65l*OubiuWB>q0o2<(6RHv==;|J*(K1#dRm-v9sr diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group2.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group2.golden index 7e876ca857f22c9b81ed0966c0e22ff892ced3e9..9e5737b0350135d92b599a8aad79e2710eeb2e1f 100644 GIT binary patch delta 638 zcmW-c%Wl&^7)DXMA{)9zLM*ZkQf55<$1|0>$jz}`(!{ygO?LKN;>5YOPU3jc0t?t8 zy5=dm;vskl#EX#fZO_q>zF(iuzI{3So}Y#1&wnnyzWH(S_H}sv>i@#$^2Og}(*Sx& z3Frt#*o>IcNFV}ONuoFdi*qHhG_?gnaf?V55g{xpIJYpeI0!*BeyTpe<4Y(ea6$|t z%@`6CbA2+1$q^^alFHvV5OJ zFJWm&X(DB5O=D^Sk<1i0Vt^>dj4O)eds8Y-8Iu46138(TYK?e|H8!Mp`u#9{Y8#bQ6E!Z)I?Ii7i@oUB zV9na{PRiZU7Kfm(>NjSuI@^D&Bu-uh!4@#%L7!&vsI&574|cFi$CI?QtZmX_yA8(s z_HJ=KZ$@w+_2$M-R`bA1bw1e_9zjsad!colTI+6BowUZwVP}|69dqTC=EeftK!u_{ f2AvNkn)mDqU$vdapdZw(u1Z&F;#8l0etP#0i?+s7 delta 579 zcmW;EO>@#f0Dxhqy+|%{b-Z*qiXD>O>~6wL4^1fvLO%FNsN8lp*$`+xfB;Dkq8{|> z*q_pqKgaQhX!SY1hxgl;v!9>OzE@|B^QT|UudjYIUpE@(FaB#hwVJ=vw@O#TSjP~N zh-flqNMTeEB)H6k&NRU>ArazXC_fH9qD1LNGFG_~X+#JWae^>p5O4q^HBv*O5Fm?4 z!$P#)wQ{zKc-c$hXjitnt=*C;U7&`Vj`RpZC^M{6iWrSl0d*lTL0naz8%7vBzB$Dw zqpghvF|6`1Lvan($!OGGxmi^&@AuD-yPmq3WnS2WmOXqQZgXQiF|!TpQ*&M%AEd)! zys>w5ep4J$J^0{m)U=9keR_`rM+w&3qpvx+Zw-rSJFI|_PAUv34||sHn!@AYBso|u zRU~AH4BJMP+Wsst7JNbdfnDEGT(MJUUQ32hmsTfP z`g{r4YFore$m1jHGpGgg{U&$GO%|78>Ui1o=#;pCqr0?TclwSSFw-THwRQq|7s?x+ u^>Q$uj9fqO1m-dud3F$AT}fACt3=Y}KetZr!ZW>#>A-ZZXODkAz5EL`rnM0O diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object1.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object1.golden index e4b2c60f5367413f958a7c2206a48f4fae37aa1d..a559012f955a3ba4ce6e855d9957e02b2513ee73 100644 GIT binary patch delta 638 zcmW;ExpLD$0Dxg8sc=Ku%rF#g&5ZZZ?rJlW!j>f;lFvB4y44N5zlDD7@D)t1ad_&5BpW^iI6O z09eXMTM5c+i2+v{*)OC`1=L&{Mc4;JFbyFA(gF(c5Wg%H0+T>_hIe<`jG|q|%WRng#^QRntk%iMZ@4sz`cqkOtC5-J>!Z8W znKN@`&pS>4w(7pWUB@x4CMUfkDJge6 zuX<|C<9)DM92!nDI{57fSK(w#BWZ0b5l@Cw~+s{hsA4t*R=_Qoov!?evt} z8CeYBqCOe41n>GjT(x+wyY!vf)|4BYW`b(SCW-5`=mMVNn(BtjB;6KzgLJa(&yLHW zwVy)*Wh?aS5A&sX28tH$-yubZ#0e%!onG_GI#r}5Oh`5nClcN&BUN{Z^M zngEFc2xh9ns6ZGZ8lzBEeTA;q!lnOF*?>DB3lIa0sH$K|5*bwlN;Cx^jIhcO6BP-_ zn&3CzH50P+Y2MicewH`ynpudSbp^V=UCHWJ1LMk3GsR$rd&5L z3ULu+ov}BKSY>4>*AKk28;DD*8bRAw1q4RB69Ix>rhH7j^fdBu>tM|xsHk=3j>bcH zTExYssC*YiwX!ZAbcK!SwuQDPhvP>2S3dh^Aqn=}H%bi;L4(MuX zR31}#QFmu+5)_kBFm4;6x~E5!4hO@TVCD750$6a-AyOB}va3E=)f>F$oHC0hy}Y)! uP8EZ_zJ!5soU`L8?vbf}f6v_)j+b!n|M4*H+}fsnJL{WceSZ1#>E&OP)VQ$# diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object2.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object2.golden index 5bd8b6cc322461f6c8a33da691b0c0344f2f7b5a..f57bd02fc203a8bb281c0fc85ebe8a176b072ab6 100644 GIT binary patch delta 638 zcmW;GyKdT00D$2tnaa|vm8uS`RPwRU@wr6GfFaz$u_<7(ohvp59Kc+hA!$3bYgOhx zMW#MPAEN4uH0l2UpZ;H;&%S**`+hu|oIm}!`19p^lImV1Q1)A7+o$UNAG3 zp86Z=qytTk#wgmcH)&G^jchYIpkdNI%%?&*MGF$#S?+xk@|Cn($3ar65Ui>}eb@lY z)b9?9Wx5KRwHCLeY#}sg1pVDjxQM1qE$0yc{f(O^KF-7b&yv&y>F&(dz?u9R5rR1}tX9EH*n z9zKliD6Ry7cb!*QBfy)QcQfKMFuC9C`yY#mX_14MMqS@;gGst1PHEddRNw+`tzeDF zx*7P$-|Y&Rc(|I==B~(6YRRBog!?d_=lAU_y^Y$|ZP(BJ{;^Jz5?LIOPkJ)ytyZxf cuHlaCgIXs(cnE~EtETPcXD!05|Th^2#_vBUFg=a zkJ6Qo#$Uk~O3=^%Qw(X5&4>S1+HXS)d`hAkx|OOL`sai=sC z6H}bjD0X+&RjT2ns?&v%;<|!Y$K@c*#d}vPEnf^uBcodnP50T7iEz9LPJ(A^i_Dk8 zJ@_!)n-v|-fszx?M&q6r7h#2|uGSh0$il*~4%> ze$bX23=VMKOG8#pQvaIg+q*CaTfa|G!7|Yp*6TI0vSCQ=VPglrbE2sukodaa6gDW5;$}6U-wH$>+1bG|6RGZ* sytrGbj;r3R)U*wa6m$l5I1sg?+a26PV7m%;3X4#a87hrciSE>lh}Cd-a{ zi#LMuV35JgC?60Y%CUFUYsID3-eJdrV)nQ;g^ zi=5+35f4EqPK30aIzbQ?8ZoNC5DC;tZ#0HNGB_|CG}*m;c=iY(#9RR7jF1W_(#{iA z5K0*AwGWQVz^Sm9BVfo8ZE2ATV^FYIdLX->_pkp!%<`ZlXrYPWEGXn~(IiYj2&B|f zP~(erv=bOnrW9w^X$el*AVhHgH_|}^^W0;KHDv{7nE@4;=AyVkBC9}v@-#4|fq*u} zTx^0O7CaJ&?cP6(9xCgLUMOEh!%kzO(Gq%QPNMcKu_pV#T&Js9dXBF1;^FhU$+jcCKNFXsI zvi4u_HxT~;egy*q;jwbYBOQH5=X`yC^yS^r$NcE=`17}u56?cGJXao%pZw9mdU^6a zIRlpjArt8khnT2{LBOcQP;!+?lM%@g#v$ZFsQczyI0l!%P!R>xRRq;uetxR>+UKz$)tH5-yn4}%20kknKctI zw6mqVh+76LGITMK<4u%>sZ3l1*Gasz?Zvq_YP5l}t%YeP64#@7Y;T$7W#gMPE9M=r z8o182X9tanw-T~FolI^0qA#rKt#wC*zMT~*pAFKTlCb`*wN|IG%q#@mNMM%-_XB6M zpkmIK#2L+8E8VQ~w0+lYnJqt0?P#^i8|U>((1?jr^`=g>z&8`@1wDo?Z3tu!m&zw57q{xWY?+xI1K2PF;*|{>+MQ7N6Mmq1;BcC?OU>g$@Byz2m b!}8UYa;5rQ{(YeC)c);nIc0zUbNBQYyIA6x diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA256.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA256.golden index 85d39dbb81a61b0b6c300772aabb63862d25c5d9..108a9dacc2331dcf25e11cade1a46c7413782966 100644 GIT binary patch delta 768 zcmX}nyKWOv5C&irQMn-v1rmyc=y2h4_S}(D*k0SQ9Xr0?D$aE`@olqq>|GbJ0Ersm zN8vSqcYr5h6(pt_jYi-6^W)Rmug_;+le3HG-+!NfdGYQ1Rqo>Xv!}{NZ_ocMeUH%h z6cHzZgjjOxfCh*_YmgP3Fd?jg20KQy6$}|Gk=BfAAs7Tq5Ur7er@|w7f)GVm8UT#~ z#t_Uss~zRUqf8NGs0Sbw03)uY$22m`N&$5yN$4vA!wZz2FYaTKg{yENU1tLCyq3O1hmn9Z(n2{rd5 zACA{0Ol+-NuWt&$EVpYcYCH;AdUIHUq*w9$#X9JXlwZs%t`6GRTDph^&i5a}QBaCo zQ3IAYyJQ^g8 zX{$+VghEmRy_9=Ni*#p&Ad1!Mt-{o`dW0%H75w>GW%rDd=8a<}MHF5S+lr G*M9*$`s#83 delta 712 zcmZ{hOK;Oa0EAJwpj_w`ajC+s1$o!|upOxfJ5J+AYSP$E+(;aD*IwuCq)8e(Qi%i- zXGE_37yJ#xe}G@Xfdk=jWsW0_zR}Fr_eWpe9epg09v*-GcKqS#r{iaphsTfp=wQ7# z{ysg0HJws}BBG_54k#y(GpP|N0G9^WrJ$OY5|Jce@4h8NSc4c)2ALr=!VprWAV6@P zK!X`flZI3Yf>;M>^<_2Zqg1TyVU{je)mn8qV23z?m~w+lETJR^goGMp$j}pAU&Qu_Dl?W;r!$Q*u#{Z$ogs7CsgeNJ}gno!a zfzY8K2PrtXk`c}{LsswK+*e-xmepvw!AZN>J_+6ZkKNVIw%eP`93_ei1EzJa11=)I zQLVcuO!I-C#w;1U9>C!Uqn+1VC$ zeXlbQZoR1n8gs>+C8n~ru~V+n8)piKPA{2Ey^>nHN)zRCWj2`9>xSJntZm#}USC94 zy>T`P=O90`EQpXNbHii{vk1pgq#|y@2NHl6xC>TjEKn!5FSbyN#|^FkU8jkd@@B;Vj*5zk3#k;jE)Z zv>7_0>yFV~J!^Np&01MP+;QVAE`UFr`klq%(uur^q0{*6RuQ65ihQ=rxD&Z+$BzP^ c65l*OubiuWB>q0o2<(6RHv==;|J*(K1#dRm-v9sr diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA384.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA384.golden index 06d7f944f684deb2fd62175514ab39dda9938a08..6ece017ed262602841c2a48c288ff3b9a95d89d1 100644 GIT binary patch delta 768 zcmX}nxo#6-5C?D+QMn-v1rmyc=t$x3K9EwZvyRXB+Bjaj;@j_VeD2z@y&D&?0Ersm zN8vSqcYr5h6(pt_jYhxu&yPqDy*>T2@DXM2 z8KzDF1&I>Y0Sz#P)?h0I*h+VXZmSQgR5mq*`MKkHts&1Yw4WG60$g z7(g$FP|U)h;dpN#kkNINMn)6 z3BeS!(mF%AqnJgI0!@HHGQxSwlmae-+-h|E`S|W1L?Y@0*OE!3C~*Q9m@hHq0MMLE z&akq19BCK?m ziu=vMDygGQueEH+f*O+1K%Td5;%ci=k-I5_`-WY${C$_%wYX~BERr-16EN>DyxsC) zR789|HkDw;iyj#64h6qSqHx>q#k1ugmDO1>34-)4lp~@@ICoizcf8#;+l79+yq_kd za~IZoTI}ze@ut7ZXrXnzA9T0NJ6^q-S+r~n*Oz{?(y0|~>gJ%t%SqA*+S#xjPHNtD zXEnj?dMJ&r(?vR;t-OcA7>yQt3&eDr%srjdtY6DOlYq9Vj$5TICHJ#Ur-JH(cDI~O zGpsM;cpXdzvusT?xq(Pg^RSr`4N14{TB_$ B=urRw delta 712 zcmZ{hJ8#-h0EMe`sk}66)g_`^(#rSRz7Hd1FoqaoAOUPJNFDCOmw<8H5X?(Tky@#9 zRo48A{*9{tq5TydI+Q-vp7E28&e1tv-yeN>cl2?6^ziuex8n~_KOH~Q9v(mXqXT+z z{5?B`Ws0$lO+*qx0p|jUG!rbP{Qc$5ogn|S!)25ONO99h> z0-FF^`{%pU9V`QaB~AoROoL&=B$AqxGXn@}Ab|yAmLL>a)_>BJLFFFH$GdQsp+l=4=~uldHj?Er)I{FO52l z8gU2O$!tEF){V>gMzod?`Hf=U9CdX}HWwT$8FuWQ#-fIqDs?@xs?8n(e>-HpSx_W5Fem0ahp6qQy$cyP<97T+Jym+HU-q0JY7yYKg0xVnoy4#x7HZyyq zqc~sdcb!4Q%@-A3^gJ_P7BTfz5Do{u>iW84?PSU{w(50;L3cHu)o7e49)sEzuX3bc z28OlJv3`aN+O34c{?d(rC%XQ8oVvqkduvSVBe~F~vtpTsg+EXSYG1_RjSNV_zUfT)xKX*@l0oBvn(EtDd diff --git a/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA512.golden b/pkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA512.golden index ad1f45844eb76e3281bfbaa8865361b8c0ff2218..9b01c675d68f59630a70b79700bd9893f3c3c478 100644 GIT binary patch delta 767 zcmX|;yKWO<5QR~c$_;5KBB4l#4j2CK7o-&H+uFPF+K!#rPQ`zX@gXuUrAv#cY^ z-ZD(R0tyl(oCgMA3Z2DH3d*H)7FyytHBNGDox;X&W~Ag0a7m599_}lT^a+F+CdvY6 zHL#Wvft>M7P{g>V*fInllYn4h6ygS3?v#Y4ASvhx^b+k~?Or^A03g;IVHM-TU?8nS zqCg0ypp(v9%00zQLkbK57D?j{p%d$2lxj?+6qZ9;ZVey7y7%2@G7q*q4ZP}z9Dow>b(zhkj>4d_!! z%Bw!_O>60}w9BT083|FhGg$|1>OZ8d0cuowahMJQxas#h)mmP@Z-$ra?gXXNC|ZrW zqhZa3%VF9K6J82jlDnWa3(CFG@;20y1#1i+qM2LHvvkuB$4PL{*By?M`dJW&MiZ0= zOF%2-X3`tAX4Sm3RdCKp`#in74Fi-0ba6cqy~@nRqpP)iNY)pP7VNWn-HkgjKSz@b zdmAr!Kb_Zy&E_;N#i)9jrr{t1SCXUwQ59r@bTqes#W5_ delta 712 zcmZ{hOK;Oa0EAI{K=OrN5tl058c=q<-d#IV4~d;7ah#{~w8UX|y_?!i<0f`ql}aR# zI3sfHzu<2m{sa69E=YvOl{t z`+j=?izXo!L6}Nv0>UxmOi`=^;L75r5`a&zF%AVn z$ATP4aC8;JoKZ{V9^O1?uYaptsn%QPooeUYuOEKwd;7*_stT%Rk4n9Gvn+Wt*EVkE zwZawJ%x^>?9GAPaT^E_GuwXHp^zTuy4mO#ytu$;$TP*rnvK-+~Ey{G+=nN-fyK64! zmbjI*wDVLr*HN5SM%mD!HX4aR;)Ur`n<673Vs?b*FDf4 z2UfaeWNZbQ>+wRT+N^uE*lmtT6fAt$GV2?46>3yE)$%IpoXRzXw!W&cFGqtx|t*__=@j3p#t