treewide: migrate crypto(hash-* -> nite)

Anton-Latukha · Anton-Latukha · commit 97146b41cc87 · 2021-06-10T15:17:40.000+03:00
Reference: Main cause: haskell-hvr/cryptohash-sha512#7 The whole `cryptohash-*` package family is abandoned, there is no signs of maintainer activity there, so it stopped following Haskell ecosystem & `base` releases. Knowing the human history & situation around it - it would not be reviwed, which gives experience to not hardcode on the (specifically when emotional) dependency. Experience I drawn from this story is to keep things simplier when possible & have more flexible systems as a result code. It was "a bit too much" for what hashing is, for the code to have 2 hashing type systems (external & internal) & reinventment of `HashAlgorithm` type duplicate. The whole code was really rigid with a lot of type applicating the data kinds, those are dependent type features & should be used cautiously, since interface became rigid to changes, so afterwards it is easier & effective to dismantle and recreate the subsystem then to evolve it. Previous hashing history: #156 #142 #93 #92 #90 #83 #64 #38 #32 #31 #28 #27 #25 #18 #14
diff --git a/hnix-store-core/hnix-store-core.cabal b/hnix-store-core/hnix-store-core.cabal
@@ -56,10 +56,9 @@ library
     , bytestring
     , cereal
     , containers
-    , cryptohash-md5
-    , cryptohash-sha1
-    , cryptohash-sha256
-    , cryptohash-sha512
+    -- Required for cryptonite low-level type convertion
+    , memory
+    , cryptonite
     , directory
     , filepath
     , hashable
@@ -106,6 +105,7 @@ test-suite format-tests
     , binary
     , bytestring
     , containers
+    , cryptonite
     , directory
     , filepath
     , process
diff --git a/hnix-store-core/src/System/Nix/Hash.hs b/hnix-store-core/src/System/Nix/Hash.hs
@@ -2,16 +2,10 @@
 Description : Cryptographic hashes for hnix-store.
 -}
 module System.Nix.Hash
-  ( Hash.Digest
-
-  , Hash.HashAlgorithm(..)
-  , Hash.mkStorePathHash
-  , Hash.ValidAlgo(..)
+  ( Hash.mkStorePathHash
   , Hash.NamedAlgo(..)
   , Hash.SomeNamedDigest(..)
 
-  , Hash.hash
-  , Hash.hashLazy
   , Hash.mkNamedDigest
 
   , Base.BaseEncoding(..)
diff --git a/hnix-store-core/src/System/Nix/Internal/Hash.hs b/hnix-store-core/src/System/Nix/Internal/Hash.hs
@@ -13,12 +13,7 @@ Description : Cryptographic hashing interface for hnix-store, on top
 {-# LANGUAGE CPP #-}
 
 module System.Nix.Internal.Hash
-  ( HashAlgorithm(..)
-  , ValidAlgo(..)
-  , NamedAlgo(..)
-  , hash
-  , hashLazy
-  , Digest
+  ( NamedAlgo(..)
   , SomeNamedDigest(..)
   , mkNamedDigest
   , encodeDigestWith
@@ -27,163 +22,86 @@ module System.Nix.Internal.Hash
   )
 where
 
-import qualified Crypto.Hash.MD5        as MD5
-import qualified Crypto.Hash.SHA1       as SHA1
-import qualified Crypto.Hash.SHA256     as SHA256
-import qualified Crypto.Hash.SHA512     as SHA512
+import qualified Crypto.Hash            as C
 import qualified Data.ByteString        as BS
-import qualified Data.ByteString.Lazy   as BSL
-import qualified Data.Hashable          as DataHashable
-import           Data.List              (foldl')
 import           Data.Text              (Text)
 import qualified Data.Text              as T
 import           System.Nix.Internal.Base
-import           Data.Coerce            (coerce)
+import           Data.ByteArray
 import           System.Nix.Internal.Truncation
 
--- | The universe of supported hash algorithms.
---
--- Currently only intended for use at the type level.
-data HashAlgorithm
-  = MD5
-  | SHA1
-  | SHA256
-  | SHA512
-
--- | The result of running a 'HashAlgorithm'.
-newtype Digest (a :: HashAlgorithm) =
-  Digest BS.ByteString deriving (Eq, Ord, DataHashable.Hashable)
-
-instance Show (Digest a) where
-  show = ("Digest " <>) . show . encodeDigestWith NixBase32
-
--- | The primitive interface for incremental hashing for a given
--- 'HashAlgorithm'. Every 'HashAlgorithm' should have an instance.
-class ValidAlgo (a :: HashAlgorithm) where
-  -- | The incremental state for constructing a hash.
-  type AlgoCtx a
-
-  -- | Start building a new hash.
-  initialize        :: AlgoCtx a
-  -- | Append a 'BS.ByteString' to the overall contents to be hashed.
-  update            :: AlgoCtx a -> BS.ByteString -> AlgoCtx a
-  -- | Finish hashing and generate the output.
-  finalize          :: AlgoCtx a -> Digest a
-
 -- | A 'HashAlgorithm' with a canonical name, for serialization
 -- purposes (e.g. SRI hashes)
-class ValidAlgo a => NamedAlgo (a :: HashAlgorithm) where
+class C.HashAlgorithm a => NamedAlgo a where
   algoName :: Text
-  hashSize :: Int
 
-instance NamedAlgo 'MD5 where
+instance NamedAlgo C.MD5 where
   algoName = "md5"
-  hashSize = 16
 
-instance NamedAlgo 'SHA1 where
+instance NamedAlgo C.SHA1 where
   algoName = "sha1"
-  hashSize = 20
 
-instance NamedAlgo 'SHA256 where
+instance NamedAlgo C.SHA256 where
   algoName = "sha256"
-  hashSize = 32
 
-instance NamedAlgo 'SHA512 where
+instance NamedAlgo C.SHA512 where
   algoName = "sha512"
-  hashSize = 64
 
 -- | A digest whose 'NamedAlgo' is not known at compile time.
-data SomeNamedDigest = forall a . NamedAlgo a => SomeDigest (Digest a)
+data SomeNamedDigest = forall a . NamedAlgo a => SomeDigest (C.Digest a)
 
 instance Show SomeNamedDigest where
   show sd = case sd of
-    SomeDigest (digest :: Digest hashType) -> T.unpack $ "SomeDigest " <> algoName @hashType <> ":" <> encodeDigestWith NixBase32 digest
+    SomeDigest (digest :: C.Digest hashType) -> T.unpack $ "SomeDigest " <> algoName @hashType <> ":" <> encodeDigestWith NixBase32 digest
 
 mkNamedDigest :: Text -> Text -> Either String SomeNamedDigest
 mkNamedDigest name sriHash =
   let (sriName, h) = T.breakOnEnd "-" sriHash in
-    if sriName == "" || sriName == (name <> "-")
+    if sriName == "" || sriName == name <> "-"
     then mkDigest h
     else Left $ T.unpack $ "Sri hash method " <> sriName <> " does not match the required hash type " <> name
  where
   mkDigest h = case name of
-    "md5"    -> SomeDigest <$> decodeGo @'MD5    h
-    "sha1"   -> SomeDigest <$> decodeGo @'SHA1   h
-    "sha256" -> SomeDigest <$> decodeGo @'SHA256 h
-    "sha512" -> SomeDigest <$> decodeGo @'SHA512 h
+    "md5"    -> SomeDigest <$> decodeGo C.MD5    h
+    "sha1"   -> SomeDigest <$> decodeGo C.SHA1   h
+    "sha256" -> SomeDigest <$> decodeGo C.SHA256 h
+    "sha512" -> SomeDigest <$> decodeGo C.SHA512 h
     _        -> Left $ "Unknown hash name: " <> T.unpack name
-  decodeGo :: forall a . (NamedAlgo a, ValidAlgo a) => Text -> Either String (Digest a)
-  decodeGo h
+  decodeGo :: forall a . NamedAlgo a => a -> Text -> Either String (C.Digest a)
+  decodeGo a h
     | size == base16Len = decodeDigestWith Base16 h
     | size == base32Len = decodeDigestWith NixBase32 h
     | size == base64Len = decodeDigestWith Base64 h
     | otherwise = Left $ T.unpack sriHash <> " is not a valid " <> T.unpack name <> " hash. Its length (" <> show size <> ") does not match any of " <> show [base16Len, base32Len, base64Len]
    where
     size = T.length h
-    hsize = hashSize @a
+    hsize = C.hashDigestSize a
     base16Len = hsize * 2
     base32Len = ((hsize * 8 - 1) `div` 5) + 1;
     base64Len = ((4 * hsize `div` 3) + 3) `div` 4 * 4;
 
 
--- | Hash an entire (strict) 'BS.ByteString' as a single call.
---
---   For example:
---   > let d = hash "Hello, sha-256!" :: Digest SHA256
---   or
---   > :set -XTypeApplications
---   > let d = hash @SHA256 "Hello, sha-256!"
-hash :: forall a . ValidAlgo a => BS.ByteString -> Digest a
-hash bs =
-  finalize $ update @a (initialize @a) bs
-
-mkStorePathHash :: forall a . ValidAlgo a => BS.ByteString -> BS.ByteString
+mkStorePathHash :: forall a . C.HashAlgorithm a => BS.ByteString -> BS.ByteString
 mkStorePathHash bs =
-  truncateInNixWay 20 $ coerce $ hash @a bs
-
--- | Hash an entire (lazy) 'BSL.ByteString' as a single call.
---
--- Use is the same as for 'hash'.  This runs in constant space, but
--- forces the entire bytestring.
-hashLazy :: forall a . ValidAlgo a => BSL.ByteString -> Digest a
-hashLazy bsl =
-  finalize $ foldl' (update @a) (initialize @a) (BSL.toChunks bsl)
-
+  truncateInNixWay 20 $ convert $ C.hash @BS.ByteString @a bs
 
 -- | Take BaseEncoding type of the output -> take the Digeest as input -> encode Digest
-encodeDigestWith :: BaseEncoding -> Digest a -> T.Text
-encodeDigestWith b = encodeWith b . coerce
+encodeDigestWith :: BaseEncoding -> C.Digest a -> T.Text
+encodeDigestWith b = encodeWith b . convert
 
 
 -- | Take BaseEncoding type of the input -> take the input itself -> decodeBase into Digest
-decodeDigestWith :: BaseEncoding -> T.Text -> Either String (Digest a)
-decodeDigestWith b x = Digest <$> decodeWith b x
-
-
--- | Uses "Crypto.Hash.MD5" from cryptohash-md5.
-instance ValidAlgo 'MD5 where
-  type AlgoCtx 'MD5 = MD5.Ctx
-  initialize = MD5.init
-  update = MD5.update
-  finalize = Digest . MD5.finalize
-
--- | Uses "Crypto.Hash.SHA1" from cryptohash-sha1.
-instance ValidAlgo 'SHA1 where
-  type AlgoCtx 'SHA1 = SHA1.Ctx
-  initialize = SHA1.init
-  update = SHA1.update
-  finalize = Digest . SHA1.finalize
-
--- | Uses "Crypto.Hash.SHA256" from cryptohash-sha256.
-instance ValidAlgo 'SHA256 where
-  type AlgoCtx 'SHA256 = SHA256.Ctx
-  initialize = SHA256.init
-  update = SHA256.update
-  finalize = Digest . SHA256.finalize
-
--- | Uses "Crypto.Hash.SHA512" from cryptohash-sha512.
-instance ValidAlgo 'SHA512 where
-  type AlgoCtx 'SHA512 = SHA512.Ctx
-  initialize = SHA512.init
-  update = SHA512.update
-  finalize = Digest . SHA512.finalize
+decodeDigestWith :: C.HashAlgorithm a => BaseEncoding -> T.Text -> Either String (C.Digest a)
+decodeDigestWith b x =
+  do
+    bs <- decodeWith b x
+    let
+      toEither =
+        maybeToRight
+          ("Cryptonite was not able to convert '(ByteString -> Digest a)' for: '" <> show bs <>"'.")
+    (toEither . C.digestFromByteString) bs
+ where
+  -- To not depend on @extra@
+  maybeToRight :: b -> Maybe a -> Either b a
+  maybeToRight _ (Just r) = pure r
+  maybeToRight y Nothing  = Left y
diff --git a/hnix-store-core/src/System/Nix/Internal/StorePath.hs b/hnix-store-core/src/System/Nix/Internal/StorePath.hs
@@ -51,6 +51,9 @@ import qualified System.FilePath               as FilePath
 import           Data.Hashable                  ( Hashable(..) )
 import           Data.HashSet                   ( HashSet )
 import           Data.Coerce                    ( coerce )
+import           Crypto.Hash                    ( SHA256
+                                                , Digest
+                                                )
 
 -- | A path in a Nix store.
 --
@@ -96,7 +99,7 @@ newtype StorePathHashPart = StorePathHashPart ByteString
   deriving (Eq, Hashable, Ord, Show)
 
 mkStorePathHashPart :: ByteString -> StorePathHashPart
-mkStorePathHashPart = coerce . mkStorePathHash @'SHA256
+mkStorePathHashPart = coerce . mkStorePathHash @SHA256
 
 -- | A set of 'StorePath's.
 type StorePathSet = HashSet StorePath
@@ -114,7 +117,7 @@ data ContentAddressableAddress
   = -- | The path is a plain file added via makeTextPath or
     -- addTextToStore. It is addressed according to a sha256sum of the
     -- file contents.
-    Text !(Digest 'SHA256)
+    Text !(Digest SHA256)
   | -- | The path was added to the store via makeFixedOutputPath or
     -- addToStore. It is addressed according to some hash algorithm
     -- applied to the nar serialization via some 'NarHashMode'.
@@ -134,7 +137,7 @@ data NarHashMode
 makeStorePathName :: Text -> Either String StorePathName
 makeStorePathName n =
   if validStorePathName n
-    then Right $ StorePathName n
+    then pure $ StorePathName n
     else Left $ reasonInvalid n
 
 reasonInvalid :: Text -> String
diff --git a/hnix-store-core/src/System/Nix/ReadonlyStore.hs b/hnix-store-core/src/System/Nix/ReadonlyStore.hs
@@ -17,6 +17,15 @@ import           System.Nix.Nar
 import           System.Nix.StorePath
 import           Control.Monad.State.Strict
 import           Data.Coerce                    ( coerce )
+import           Crypto.Hash                    ( Context
+                                                , Digest
+                                                , hash
+                                                , hashlazy
+                                                , hashInit
+                                                , hashUpdate
+                                                , hashFinalize
+                                                , SHA256
+                                                )
 
 
 makeStorePath
@@ -37,11 +46,11 @@ makeStorePath fp ty h nm = StorePath (coerce storeHash) nm fp
         [ algoName @h
         , encodeDigestWith Base16 h
         , T.pack fp
-        , unStorePathName nm
+        , coerce nm
         ]
 
 makeTextPath
-  :: FilePath -> StorePathName -> Digest 'SHA256 -> StorePathSet -> StorePath
+  :: FilePath -> StorePathName -> Digest SHA256 -> StorePathSet -> StorePath
 makeTextPath fp nm h refs = makeStorePath fp ty h nm
  where
   ty =
@@ -61,7 +70,7 @@ makeFixedOutputPath fp recursive h =
     else makeStorePath fp "output:out" h'
  where
   h' =
-    hash @'SHA256
+    hash @ByteString @SHA256
       $  "fixed:out:"
       <> encodeUtf8 (algoName @hashAlgo)
       <> (if recursive then ":r:" else ":")
@@ -83,10 +92,10 @@ computeStorePathForPath name pth recursive _pathFilter _repair = do
   selectedHash <- if recursive then recursiveContentHash else flatContentHash
   pure $ makeFixedOutputPath "/nix/store" recursive selectedHash name
  where
-  recursiveContentHash :: IO (Digest 'SHA256)
-  recursiveContentHash = finalize <$> execStateT streamNarUpdate (initialize @'SHA256)
-  streamNarUpdate :: StateT (AlgoCtx 'SHA256) IO ()
-  streamNarUpdate = streamNarIO (modify . flip (update @'SHA256)) narEffectsIO pth
+  recursiveContentHash :: IO (Digest SHA256)
+  recursiveContentHash = hashFinalize <$> execStateT streamNarUpdate (hashInit @SHA256)
+  streamNarUpdate :: StateT (Context SHA256) IO ()
+  streamNarUpdate = streamNarIO (modify . flip (hashUpdate @ByteString @SHA256)) narEffectsIO pth
 
-  flatContentHash :: IO (Digest 'SHA256)
-  flatContentHash = hashLazy <$> narReadFile narEffectsIO pth
+  flatContentHash :: IO (Digest SHA256)
+  flatContentHash = hashlazy <$> narReadFile narEffectsIO pth
diff --git a/hnix-store-core/tests/Arbitrary.hs b/hnix-store-core/tests/Arbitrary.hs
@@ -11,10 +11,13 @@ import qualified Data.Text                     as T
 
 import           Test.Tasty.QuickCheck
 
-import           System.Nix.Internal.Hash
 import           System.Nix.Internal.StorePath
 import           Control.Applicative                ( liftA3 )
 import           Data.Coerce                        ( coerce )
+import           Crypto.Hash                        ( SHA256
+                                                    , Digest
+                                                    , hash
+                                                    )
 
 genSafeChar :: Gen Char
 genSafeChar = choose ('\1', '\127') -- ASCII without \NUL
@@ -35,7 +38,7 @@ instance Arbitrary StorePathName where
 instance Arbitrary StorePathHashPart where
   arbitrary = mkStorePathHashPart . BSC.pack <$> arbitrary
 
-instance Arbitrary (Digest 'SHA256) where
+instance Arbitrary (Digest SHA256) where
   arbitrary = hash . BSC.pack <$> arbitrary
 
 newtype NixLike = NixLike {getNixLike :: StorePath}
diff --git a/hnix-store-core/tests/Hash.hs b/hnix-store-core/tests/Hash.hs
