refactoring: use golang crypto/hash enums

Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de>

Author: smo4201

api/api.go

@@ -20,16 +20,16 @@ package api
 import (
 	"crypto"
 	"crypto/rsa"
-	"errors"
 	"fmt"
 	"strings"
 
 	ar "github.com/Fraunhofer-AISEC/cmc/attestationreport"
+	"github.com/Fraunhofer-AISEC/cmc/internal"
 )
 
 // The version of the API
 const (
-	apiVersion = "1.2.1"
+	apiVersion = "1.3.0"
 )
 
 func GetVersion() string {
@@ -88,10 +88,10 @@ type VerificationResponse struct {
 }
 
 type TLSSignRequest struct {
-	Version  string       `json:"version" cbor:"0,keyasint"`
-	Content  []byte       `json:"content" cbor:"1,keyasint"`
-	Hashtype HashFunction `json:"hashType" cbor:"2,keyasint"`
-	PssOpts  *PSSOptions  `json:"pssOpts" cbor:"3,keyasint"`
+	Version string      `json:"version" cbor:"0,keyasint"`
+	Content []byte      `json:"content" cbor:"1,keyasint"`
+	HashAlg string      `json:"hashAlg" cbor:"2,keyasint" jsonschema:"enum=SHA-256,enum=SHA-384,enum=SHA-512"`
+	PssOpts *PSSOptions `json:"pssOpts,omitempty" cbor:"3,keyasint,omitempty"`
 }
 
 type TLSSignResponse struct {
@@ -160,30 +160,6 @@ type PSSOptions struct {
 	SaltLength int32
 }
 
-type HashFunction int32
-
-const (
-	HashFunction_SHA1        HashFunction = 0
-	HashFunction_SHA224      HashFunction = 1
-	HashFunction_SHA256      HashFunction = 2
-	HashFunction_SHA384      HashFunction = 3
-	HashFunction_SHA512      HashFunction = 4
-	HashFunction_MD4         HashFunction = 5
-	HashFunction_MD5         HashFunction = 6
-	HashFunction_MD5SHA1     HashFunction = 7
-	HashFunction_RIPEMD160   HashFunction = 8
-	HashFunction_SHA3_224    HashFunction = 9
-	HashFunction_SHA3_256    HashFunction = 10
-	HashFunction_SHA3_384    HashFunction = 11
-	HashFunction_SHA3_512    HashFunction = 12
-	HashFunction_SHA512_224  HashFunction = 13
-	HashFunction_SHA512_256  HashFunction = 14
-	HashFunction_BLAKE2s_256 HashFunction = 15
-	HashFunction_BLAKE2b_256 HashFunction = 16
-	HashFunction_BLAKE2b_384 HashFunction = 17
-	HashFunction_BLAKE2b_512 HashFunction = 18
-)
-
 func TypeToString(t uint32) string {
 	switch t {
 	case TypeError:
@@ -209,80 +185,30 @@ func TypeToString(t uint32) string {
 	}
 }
 
-// Converts Protobuf hashtype to crypto.SignerOpts
-func HashToSignerOpts(hashtype HashFunction, pssOpts *PSSOptions) (crypto.SignerOpts, error) {
-	var hash crypto.Hash
-	var len int
-	switch hashtype {
-	case HashFunction_SHA256:
-		hash = crypto.SHA256
-		len = 32
-	case HashFunction_SHA384:
-		hash = crypto.SHA384
-		len = 48
-	case HashFunction_SHA512:
-		len = 64
-		hash = crypto.SHA512
-	default:
-		return crypto.SHA512, fmt.Errorf("hash function not implemented: %v", hashtype)
+// StringToSignerOpts converts hash strings as defined in https://pkg.go.dev/crypto#Hash.String
+// to SignerOpts
+// Converts hash strings as defined in https://pkg.go.dev/crypto#Hash.String to SignerOpts
+func StringToSignerOpts(s string, pssOpts *PSSOptions) (crypto.SignerOpts, error) {
+	hash, err := internal.HashFromString(s)
+	if err != nil {
+		return nil, err
 	}
+	return HashToSignerOpts(hash, pssOpts)
+}
+
+// HashToSignerOpts converts hashes to crypto.SignerOpts
+func HashToSignerOpts(hash crypto.Hash, pssOpts *PSSOptions) (crypto.SignerOpts, error) {
 	if pssOpts != nil {
 		saltlen := int(pssOpts.SaltLength)
 		// go-attestation / go-tpm does not allow -1 as definition for length of hash
 		if saltlen < 0 {
-			saltlen = len
+			saltlen = hash.Size()
 		}
 		return &rsa.PSSOptions{SaltLength: saltlen, Hash: hash}, nil
 	}
 	return hash, nil
 }
 
-// Converts Hash Types from crypto.SignerOpts to the types specified in the CMC interface
-func SignerOptsToHash(opts crypto.SignerOpts) (HashFunction, error) {
-	switch opts.HashFunc() {
-	case crypto.MD4:
-		return HashFunction_MD4, nil
-	case crypto.MD5:
-		return HashFunction_MD5, nil
-	case crypto.SHA1:
-		return HashFunction_SHA1, nil
-	case crypto.SHA224:
-		return HashFunction_SHA224, nil
-	case crypto.SHA256:
-		return HashFunction_SHA256, nil
-	case crypto.SHA384:
-		return HashFunction_SHA384, nil
-	case crypto.SHA512:
-		return HashFunction_SHA512, nil
-	case crypto.MD5SHA1:
-		return HashFunction_MD5SHA1, nil
-	case crypto.RIPEMD160:
-		return HashFunction_RIPEMD160, nil
-	case crypto.SHA3_224:
-		return HashFunction_SHA3_224, nil
-	case crypto.SHA3_256:
-		return HashFunction_SHA3_256, nil
-	case crypto.SHA3_384:
-		return HashFunction_SHA3_384, nil
-	case crypto.SHA3_512:
-		return HashFunction_SHA3_512, nil
-	case crypto.SHA512_224:
-		return HashFunction_SHA512_224, nil
-	case crypto.SHA512_256:
-		return HashFunction_SHA512_256, nil
-	case crypto.BLAKE2s_256:
-		return HashFunction_BLAKE2s_256, nil
-	case crypto.BLAKE2b_256:
-		return HashFunction_BLAKE2b_256, nil
-	case crypto.BLAKE2b_384:
-		return HashFunction_BLAKE2b_384, nil
-	case crypto.BLAKE2b_512:
-		return HashFunction_BLAKE2b_512, nil
-	default:
-	}
-	return HashFunction_SHA512, errors.New("could not determine correct Hash function")
-}
-
 func (req *AttestationRequest) CheckVersion() error {
 	if req == nil {
 		return fmt.Errorf("internal error: AttestationRequest is nil")

attestedtls/coap.go

@@ -203,15 +203,10 @@ func (a CoapApi) fetchSignature(cc *CmcConfig, digest []byte, opts crypto.Signer
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
 
-	hash, err := api.SignerOptsToHash(opts)
-	if err != nil {
-		return nil, fmt.Errorf("sign request creation failed: %w", err)
-	}
-
 	req := api.TLSSignRequest{
-		Version:  api.GetVersion(),
-		Content:  digest,
-		Hashtype: hash,
+		Version: api.GetVersion(),
+		Content: digest,
+		HashAlg: opts.HashFunc().String(),
 	}
 
 	// Parse additional signing options - not implemented fields assume recommend defaults

attestedtls/grpc.go

@@ -142,11 +142,12 @@ func (a GrpcApi) verifyAR(
 	}
 
 	// Check results
-	if result.Summary.Status == ar.StatusSuccess {
+	switch result.Summary.Status {
+	case ar.StatusSuccess:
 		log.Debugf("Attestation report verification successful")
-	} else if result.Summary.Status == ar.StatusWarn {
+	case ar.StatusWarn:
 		log.Debugf("Attestation report verification passed with warnings")
-	} else {
+	default:
 		return errors.New("attestation report verification failed")
 	}
 	return nil
@@ -163,14 +164,10 @@ func (a GrpcApi) fetchSignature(cc *CmcConfig, digest []byte, opts crypto.Signer
 	log.Debug("Contacting backend for sign Operation")
 
 	// Create Sign request
-	hash, err := convertHash(opts)
-	if err != nil {
-		return nil, fmt.Errorf("sign request creation failed: %w", err)
-	}
 	req := api.TLSSignRequest{
-		Version:  api.GetVersion(),
-		Content:  digest,
-		Hashtype: hash,
+		Version: api.GetVersion(),
+		Content: digest,
+		HashAlg: opts.HashFunc().String(),
 	}
 
 	// parse additional signing options - not implemented fields assume recommend defaults
@@ -257,49 +254,3 @@ func (a GrpcApi) fetchPeerCache(cc *CmcConfig, fingerprint string) ([]string, er
 
 	return resp.Cache, nil
 }
-
-// Converts Hash Types from crypto.SignerOpts to the types specified in the CMC interface
-func convertHash(opts crypto.SignerOpts) (api.HashFunction, error) {
-	switch opts.HashFunc() {
-	case crypto.MD4:
-		return api.HashFunction_MD4, nil
-	case crypto.MD5:
-		return api.HashFunction_MD5, nil
-	case crypto.SHA1:
-		return api.HashFunction_SHA1, nil
-	case crypto.SHA224:
-		return api.HashFunction_SHA224, nil
-	case crypto.SHA256:
-		return api.HashFunction_SHA256, nil
-	case crypto.SHA384:
-		return api.HashFunction_SHA384, nil
-	case crypto.SHA512:
-		return api.HashFunction_SHA512, nil
-	case crypto.MD5SHA1:
-		return api.HashFunction_MD5SHA1, nil
-	case crypto.RIPEMD160:
-		return api.HashFunction_RIPEMD160, nil
-	case crypto.SHA3_224:
-		return api.HashFunction_SHA3_224, nil
-	case crypto.SHA3_256:
-		return api.HashFunction_SHA3_256, nil
-	case crypto.SHA3_384:
-		return api.HashFunction_SHA3_384, nil
-	case crypto.SHA3_512:
-		return api.HashFunction_SHA3_512, nil
-	case crypto.SHA512_224:
-		return api.HashFunction_SHA512_224, nil
-	case crypto.SHA512_256:
-		return api.HashFunction_SHA512_256, nil
-	case crypto.BLAKE2s_256:
-		return api.HashFunction_BLAKE2s_256, nil
-	case crypto.BLAKE2b_256:
-		return api.HashFunction_BLAKE2b_256, nil
-	case crypto.BLAKE2b_384:
-		return api.HashFunction_BLAKE2b_384, nil
-	case crypto.BLAKE2b_512:
-		return api.HashFunction_BLAKE2b_512, nil
-	default:
-	}
-	return api.HashFunction_SHA512, errors.New("could not determine correct Hash function")
-}

attestedtls/socket.go

@@ -216,15 +216,10 @@ func (a SocketApi) fetchSignature(cc *CmcConfig, digest []byte, opts crypto.Sign
 		return nil, fmt.Errorf("error dialing: %w", err)
 	}
 
-	hash, err := api.SignerOptsToHash(opts)
-	if err != nil {
-		return nil, fmt.Errorf("sign request creation failed: %w", err)
-	}
-
 	req := api.TLSSignRequest{
-		Version:  api.GetVersion(),
-		Content:  digest,
-		Hashtype: hash,
+		Version: api.GetVersion(),
+		Content: digest,
+		HashAlg: opts.HashFunc().String(),
 	}
 
 	// Parse additional signing options - not implemented fields assume recommend defaults

cmcd/coap.go

@@ -254,7 +254,7 @@ func (s CoapServer) TlsSign(w mux.ResponseWriter, r *mux.Message) {
 	}
 
 	// Get signing options from request
-	opts, err := api.HashToSignerOpts(req.Hashtype, req.PssOpts)
+	opts, err := api.StringToSignerOpts(req.HashAlg, req.PssOpts)
 	if err != nil {
 		sendCoapError(w, r, codes.InternalServerError,
 			"failed to choose requested hash function: %v", err)

cmcd/grpc.go

@@ -224,7 +224,7 @@ func (s *GrpcServer) TLSSign(ctx context.Context, req *api.TLSSignRequest) (*api
 	d := s.cmc.Drivers[0]
 
 	// get sign opts
-	opts, err = convertHash(req.GetHashtype(), req.GetPssOpts())
+	opts, err = stringToSignerOpts(req.GetHashAlg(), req.GetPssOpts())
 	if err != nil {
 		return nil, fmt.Errorf("failed to find appropriate hash function: %w", err)
 	}
@@ -310,29 +310,24 @@ func (s *GrpcServer) PeerCache(ctx context.Context, req *api.PeerCacheRequest) (
 	return resp, nil
 }
 
-// Converts Protobuf hashtype to crypto.SignerOpts
-func convertHash(hashtype api.HashFunction, pssOpts *api.PSSOptions) (crypto.SignerOpts, error) {
-	var hash crypto.Hash
-	var len int
-	switch hashtype {
-	case api.HashFunction_SHA256:
-		hash = crypto.SHA256
-		len = 32
-	case api.HashFunction_SHA384:
-		hash = crypto.SHA384
-		len = 48
-	case api.HashFunction_SHA512:
-		len = 64
-		hash = crypto.SHA512
-	default:
-		return crypto.SHA512, fmt.Errorf("hash function not implemented: %v", hashtype)
+// StringToSignerOpts converts hash strings as defined in https://pkg.go.dev/crypto#Hash.String
+// to SignerOpts
+// Converts hash strings as defined in https://pkg.go.dev/crypto#Hash.String to SignerOpts
+func stringToSignerOpts(s string, pssOpts *api.PSSOptions) (crypto.SignerOpts, error) {
+	hash, err := internal.HashFromString(s)
+	if err != nil {
+		return nil, err
 	}
+	return hashToSignerOpts(hash, pssOpts)
+}
+
+// HashToSignerOpts converts hashes to crypto.SignerOpts
+func hashToSignerOpts(hash crypto.Hash, pssOpts *api.PSSOptions) (crypto.SignerOpts, error) {
 	if pssOpts != nil {
 		saltlen := int(pssOpts.SaltLength)
 		// go-attestation / go-tpm does not allow -1 as definition for length of hash
 		if saltlen < 0 {
-			log.Warning("Signature Options: Adapted RSA PSS Salt length to length of hash: ", len)
-			saltlen = len
+			saltlen = hash.Size()
 		}
 		return &rsa.PSSOptions{SaltLength: saltlen, Hash: hash}, nil
 	}

cmcd/socket.go

@@ -300,7 +300,7 @@ func tlssign(conn net.Conn, payload []byte, cmc *c.Cmc, s ar.Serializer) {
 	}
 
 	// Get signing options from request
-	opts, err := api.HashToSignerOpts(req.Hashtype, req.PssOpts)
+	opts, err := api.StringToSignerOpts(req.HashAlg, req.PssOpts)
 	if err != nil {
 		sendError(conn, s, "failed to choose requested hash function: %v", err)
 		return

doc/api/json/api/TLSSignRequest.json

@@ -22,8 +22,13 @@
           "type": "string",
           "contentEncoding": "base64"
         },
-        "hashType": {
-          "type": "integer"
+        "hashAlg": {
+          "type": "string",
+          "enum": [
+            "SHA-256",
+            "SHA-384",
+            "SHA-512"
+          ]
         },
         "pssOpts": {
           "$ref": "#/$defs/PSSOptions"
@@ -33,8 +38,7 @@
       "required": [
         "version",
         "content",
-        "hashType",
-        "pssOpts"
+        "hashAlg"
       ]
     }
   }

go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/plgd-dev/go-coap/v3 v3.4.1
 	github.com/robertkrimen/otto v0.5.1
 	github.com/sirupsen/logrus v1.9.3
+	github.com/ulikunitz/xz v0.5.15
 	github.com/urfave/cli/v3 v3.6.1
 	github.com/veraison/go-cose v1.3.0
 	go.mozilla.org/pkcs7 v0.9.0
@@ -65,7 +66,6 @@ require (
 	github.com/quic-go/quic-go v0.57.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
-	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect