more cleanup of functions

Author: wolfv

Cargo.lock

@@ -11,7 +11,7 @@ use sigstore_fulcio::FulcioClient;
 use sigstore_oidc::parse_identity_token;
 use sigstore_rekor::RekorClient;
 use sigstore_trust_root::TrustedRoot;
-use sigstore_types::{Bundle, MediaType, Sha256Hash, SignatureContent};
+use sigstore_types::{Bundle, MediaType, SignatureContent};
 use sigstore_verify::{verify, VerificationPolicy};
 
 use std::env;
@@ -243,11 +243,10 @@ async fn sign_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>>
     let signature_b64 = base64::engine::general_purpose::STANDARD.encode(signature.as_bytes());
 
     // Compute artifact hash using sigstore-crypto
-    let hash_bytes = sigstore_crypto::sha256(&artifact_data);
-    let artifact_hash_typed = Sha256Hash::from_bytes(hash_bytes);
+    let artifact_hash = sigstore_crypto::sha256(&artifact_data);
 
     // For v2, we still need hex for now
-    let artifact_hash_hex = hex::encode(hash_bytes);
+    let artifact_hash_hex = artifact_hash.to_hex();
 
     // Upload to Rekor
     let rekor = RekorClient::new(&rekor_url);
@@ -261,7 +260,7 @@ async fn sign_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>>
         rekor.create_entry_v2(hashed_rekord).await?
     } else {
         let hashed_rekord =
-            sigstore_rekor::HashedRekord::new(&artifact_hash_typed, &signature, &public_key_pem);
+            sigstore_rekor::HashedRekord::new(&artifact_hash, &signature, &public_key_pem);
         rekor.create_entry(hashed_rekord).await?
     };
 

crates/sigstore-conformance/src/main.rs

@@ -13,7 +13,8 @@ pub use sigstore_types::{Checkpoint, CheckpointSignature};
 /// The key hint is the first 4 bytes of SHA-256(public key).
 pub fn compute_key_hint(public_key_der: &[u8]) -> [u8; 4] {
     let hash = crate::hash::sha256(public_key_der);
-    [hash[0], hash[1], hash[2], hash[3]]
+    let bytes = hash.as_bytes();
+    [bytes[0], bytes[1], bytes[2], bytes[3]]
 }
 
 // OID constants for key type identification

crates/sigstore-crypto/src/checkpoint.rs

@@ -225,7 +225,8 @@ impl KeyHint {
     /// Compute key hint from a public key (first 4 bytes of SHA-256)
     pub fn from_public_key(public_key_der: &[u8]) -> Self {
         let hash = crate::hash::sha256(public_key_der);
-        Self([hash[0], hash[1], hash[2], hash[3]])
+        let bytes = hash.as_bytes();
+        Self([bytes[0], bytes[1], bytes[2], bytes[3]])
     }
 
     /// Get the underlying bytes

crates/sigstore-crypto/src/encoding.rs

@@ -1,30 +1,14 @@
 //! Hashing utilities using aws-lc-rs
 
-use aws_lc_rs::digest::{self, Context, SHA256, SHA384, SHA512};
+use aws_lc_rs::digest::{self, Context, SHA256};
+use sigstore_types::Sha256Hash;
 
-/// Hash data using SHA-256
-pub fn sha256(data: &[u8]) -> [u8; 32] {
+/// Hash data using SHA-256, returning a typed hash
+pub fn sha256(data: &[u8]) -> Sha256Hash {
     let digest = digest::digest(&SHA256, data);
     let mut result = [0u8; 32];
     result.copy_from_slice(digest.as_ref());
-    result
-}
-
-/// Hash data using SHA-384
-pub fn sha384(data: &[u8]) -> [u8; 48] {
-    let digest = digest::digest(&SHA384, data);
-    let mut result = [0u8; 48];
-    result.copy_from_slice(digest.as_ref());
-    result
-}
-
-/// Hash data using SHA-512
-pub fn sha512(data: &[u8]) -> [u8; 64] {
-    // TODO: should we use aws-lc-rs DIGEST?
-    let digest = digest::digest(&SHA512, data);
-    let mut result = [0u8; 64];
-    result.copy_from_slice(digest.as_ref());
-    result
+    Sha256Hash::from_bytes(result)
 }
 
 /// Incremental SHA-256 hasher
@@ -45,12 +29,12 @@ impl Sha256Hasher {
         self.context.update(data);
     }
 
-    /// Finalize and get the digest
-    pub fn finalize(self) -> [u8; 32] {
+    /// Finalize and get the digest as a typed hash
+    pub fn finalize(self) -> Sha256Hash {
         let digest = self.context.finish();
         let mut result = [0u8; 32];
         result.copy_from_slice(digest.as_ref());
-        result
+        Sha256Hash::from_bytes(result)
     }
 }
 
@@ -67,13 +51,13 @@ mod tests {
     #[test]
     fn test_sha256() {
         let hash = sha256(b"hello");
-        assert_eq!(hash.len(), 32);
+        assert_eq!(hash.as_bytes().len(), 32);
 
         // Known SHA-256 hash of "hello"
         let expected =
             hex::decode("2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824")
                 .unwrap();
-        assert_eq!(&hash[..], &expected[..]);
+        assert_eq!(hash.as_bytes(), expected.as_slice());
     }
 
     #[test]

crates/sigstore-crypto/src/hash.rs

@@ -73,7 +73,7 @@ mod tests {
     fn test_keyring_add_and_get() {
         let mut keyring = Keyring::new();
         let kp = KeyPair::generate_ed25519().unwrap();
-        let key_id = sha256(kp.public_key_bytes()).to_vec();
+        let key_id = sha256(kp.public_key_bytes()).as_bytes().to_vec();
         let vk = VerificationKey::new(kp.public_key_bytes().to_vec(), SigningScheme::Ed25519);
 
         keyring.add_key(key_id.clone(), vk);
@@ -85,7 +85,7 @@ mod tests {
     fn test_keyring_verify() {
         let mut keyring = Keyring::new();
         let kp = KeyPair::generate_ed25519().unwrap();
-        let key_id = sha256(kp.public_key_bytes()).to_vec();
+        let key_id = sha256(kp.public_key_bytes()).as_bytes().to_vec();
         let vk = VerificationKey::new(kp.public_key_bytes().to_vec(), SigningScheme::Ed25519);
 
         keyring.add_key(key_id.clone(), vk);
@@ -105,14 +105,14 @@ mod tests {
         // Add multiple keys
         for _ in 0..3 {
             let kp = KeyPair::generate_ed25519().unwrap();
-            let key_id = sha256(kp.public_key_bytes()).to_vec();
+            let key_id = sha256(kp.public_key_bytes()).as_bytes().to_vec();
             let vk = VerificationKey::new(kp.public_key_bytes().to_vec(), SigningScheme::Ed25519);
             keyring.add_key(key_id, vk);
         }
 
         // Sign with a new key and add it
         let kp = KeyPair::generate_ed25519().unwrap();
-        let key_id = sha256(kp.public_key_bytes()).to_vec();
+        let key_id = sha256(kp.public_key_bytes()).as_bytes().to_vec();
         let vk = VerificationKey::new(kp.public_key_bytes().to_vec(), SigningScheme::Ed25519);
         keyring.add_key(key_id.clone(), vk);
 

crates/sigstore-crypto/src/keyring.rs

@@ -18,7 +18,7 @@ pub use checkpoint::{
 };
 pub use encoding::{CertificateDer, DerBytes, KeyHint, PublicKeySpki, SignatureBytes};
 pub use error::{Error, Result};
-pub use hash::{sha256, sha384, sha512, Sha256Hasher};
+pub use hash::{sha256, Sha256Hasher};
 pub use keyring::Keyring;
 pub use signing::{KeyPair, PublicKeyPem, Signature, SigningScheme};
 pub use verification::{verify_signature, verify_signature_prehashed, VerificationKey};

crates/sigstore-crypto/src/lib.rs

@@ -20,7 +20,7 @@ pub fn hash_leaf(data: &[u8]) -> Sha256Hash {
     let mut hasher = Sha256Hasher::new();
     hasher.update(&[LEAF_HASH_PREFIX]);
     hasher.update(data);
-    Sha256Hash::from_bytes(hasher.finalize())
+    hasher.finalize()
 }
 
 /// Hash two child nodes to create a parent node
@@ -31,7 +31,7 @@ pub fn hash_children(left: &Sha256Hash, right: &Sha256Hash) -> Sha256Hash {
     hasher.update(&[NODE_HASH_PREFIX]);
     hasher.update(left.as_bytes());
     hasher.update(right.as_bytes());
-    Sha256Hash::from_bytes(hasher.finalize())
+    hasher.finalize()
 }
 
 /// Calculate the number of trailing zeros in a number (LSB)
@@ -64,9 +64,9 @@ mod tests {
         // Verify it's 32 bytes
         assert_eq!(hash.as_bytes().len(), 32);
 
-        // Verify it's different from raw SHA256
+        // Verify it's different from raw SHA256 (leaf hash has a prefix)
         let raw_hash = sigstore_crypto::sha256(data);
-        assert_ne!(hash.as_bytes(), &raw_hash);
+        assert_ne!(hash, raw_hash);
     }
 
     #[test]

crates/sigstore-merkle/src/tree.rs

@@ -50,8 +50,7 @@ fn try_decode_hash(s: &str) -> Option<Sha256Hash> {
             if let Ok(bytes) = base64::prelude::BASE64_STANDARD.decode(s) {
                 if !bytes.is_empty() && bytes.len() != 32 {
                     // Hash the short bytes to get a unique 32-byte placeholder
-                    let hash = sigstore_crypto::sha256(&bytes);
-                    return Some(Sha256Hash::from_bytes(hash));
+                    return Some(sigstore_crypto::sha256(&bytes));
                 }
             }
             None
@@ -278,11 +277,7 @@ fn test_hash_leaf_format() {
     raw_data.extend_from_slice(data);
     let expected = sigstore_crypto::sha256(&raw_data);
 
-    assert_eq!(
-        hash.as_bytes(),
-        &expected,
-        "hash_leaf should use 0x00 prefix"
-    );
+    assert_eq!(hash, expected, "hash_leaf should use 0x00 prefix");
 }
 
 #[test]
@@ -296,9 +291,5 @@ fn test_hash_children_format() {
     raw_data.extend_from_slice(right.as_bytes());
     let expected = sigstore_crypto::sha256(&raw_data);
 
-    assert_eq!(
-        hash.as_bytes(),
-        &expected,
-        "hash_children should use 0x01 prefix"
-    );
+    assert_eq!(hash, expected, "hash_children should use 0x01 prefix");
 }

crates/sigstore-merkle/tests/rfc6962_tests.rs

@@ -10,7 +10,7 @@ use sigstore_fulcio::FulcioClient;
 use sigstore_oidc::{parse_identity_token, IdentityToken};
 use sigstore_rekor::{HashedRekord, RekorClient};
 use sigstore_tsa::TimestampClient;
-use sigstore_types::{Bundle, MediaType, Sha256Hash};
+use sigstore_types::{Bundle, MediaType};
 use x509_cert::der::Decode;
 use x509_cert::ext::pkix::BasicConstraints;
 use x509_cert::Certificate;
@@ -267,8 +267,7 @@ impl Signer {
         key_pair: &KeyPair,
     ) -> Result<(TlogEntryBuilder, PublicKeyPem)> {
         // Compute artifact hash
-        let hash_bytes = sigstore_crypto::sha256(artifact);
-        let artifact_hash = Sha256Hash::from_bytes(hash_bytes);
+        let artifact_hash = sigstore_crypto::sha256(artifact);
 
         // Export public key for Rekor
         let public_key_pem = key_pair