use fips-compliant sha256 hash

SimonTheLeg · SimonTheLeg · commit c81eae93074d · 2025-05-05T11:57:03.000+02:00
On-behalf-of: SAP &lt;simon.bein@sap.com&gt;
Signed-off-by: Simon Bein &lt;simontheleg@gmail.com&gt;
diff --git a/pkg/controller/utils.go b/pkg/controller/utils.go
@@ -1,7 +1,7 @@
 package controller
 
 import (
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base32"
 	"reflect"
 	"strings"
@@ -10,15 +10,16 @@ import (
 )
 
 const (
-	maxLength                int = 63
-	Base32EncodeStdLowerCase     = "abcdefghijklmnopqrstuvwxyz234567"
+	Base32EncodeStdLowerCase = "abcdefghijklmnopqrstuvwxyz234567"
 )
 
-// K8sNameHash takes any number of string arguments and computes a hash out of it, which is then base32-encoded to be a valid k8s resource name.
+// K8sNameHash takes any number of string arguments and computes a hash out of it, which is then base32-encoded to be a valid DNS1123Subdomain k8s resource name
 // The arguments are joined with '/' before being hashed.
 func K8sNameHash(ids ...string) string {
 	name := strings.Join(ids, "/")
-	h := sha1.New()
+	// since we are not worried about length-extension attacks (in fact we are not even using hashing for
+	// any security purposes), use sha2 for better performance compared to sha3
+	h := sha256.New()
 	_, _ = h.Write([]byte(name))
 	// we need base32 encoding as some base64 (even url safe base64) characters are not supported by k8s
 	// see https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
diff --git a/pkg/controller/utils_test.go b/pkg/controller/utils_test.go
@@ -14,20 +14,20 @@ func TestK8sNameHash(t *testing.T) {
 	}{
 		{
 			[]string{"test1"},
-			"wrckybtbh7enmn4vx2nnbpvpkuarsnvm",
+			"dnhq5gcrs4mzrzzsa6cujsllg3b5ahhn67fkgmrvtvxr3a2woaka",
 		},
 		{
 			// check that the same string produces the same hash
 			[]string{"test1"},
-			"wrckybtbh7enmn4vx2nnbpvpkuarsnvm",
+			"dnhq5gcrs4mzrzzsa6cujsllg3b5ahhn67fkgmrvtvxr3a2woaka",
 		},
 		{
 			[]string{"bla"},
-			"76tha37scj5hjglta4tvn6b4kmxeh3ic",
+			"jxz4h5upzsb3e7u5ileqimnhesm7c6dvzanftg2wnsmitoljm4bq",
 		},
 		{
 			[]string{"some other test", "this is a very, very long string"},
-			"fkkzqgh27xym6tqbswyql3wy4atsf6pt",
+			"rjphpfjbmwn6qqydv6xhtmj3kxrlzepn2tpwy4okw2ypoc3nlffq",
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -14,20 +14,20 @@ func TestK8sNameHash(t *testing.T) {`
`14`	`14`	`}{`
`15`	`15`	`{`
`16`	`16`	`[]string{"test1"},`
`17`		`- "wrckybtbh7enmn4vx2nnbpvpkuarsnvm",`
	`17`	`+ "dnhq5gcrs4mzrzzsa6cujsllg3b5ahhn67fkgmrvtvxr3a2woaka",`
`18`	`18`	`},`
`19`	`19`	`{`
`20`	`20`	`// check that the same string produces the same hash`
`21`	`21`	`[]string{"test1"},`
`22`		`- "wrckybtbh7enmn4vx2nnbpvpkuarsnvm",`
	`22`	`+ "dnhq5gcrs4mzrzzsa6cujsllg3b5ahhn67fkgmrvtvxr3a2woaka",`
`23`	`23`	`},`
`24`	`24`	`{`
`25`	`25`	`[]string{"bla"},`
`26`		`- "76tha37scj5hjglta4tvn6b4kmxeh3ic",`
	`26`	`+ "jxz4h5upzsb3e7u5ileqimnhesm7c6dvzanftg2wnsmitoljm4bq",`
`27`	`27`	`},`
`28`	`28`	`{`
`29`	`29`	`[]string{"some other test", "this is a very, very long string"},`
`30`		`- "fkkzqgh27xym6tqbswyql3wy4atsf6pt",`
	`30`	`+ "rjphpfjbmwn6qqydv6xhtmj3kxrlzepn2tpwy4okw2ypoc3nlffq",`
`31`	`31`	`},`
`32`	`32`	`}`
`33`	`33`