Use byte[] for digest instead of hex String

loosebazooka · loosebazooka · commit f3b363d2f0c2 · 2023-01-13T14:40:28.000-05:00
Signed-off-by: Appu Goundan &lt;appu@google.com&gt;
diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java b/sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java
@@ -40,7 +40,6 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
-import org.bouncycastle.util.encoders.Hex;
 
 /** A full sigstore keyless signing flow. */
 public class KeylessSigner {
@@ -191,7 +190,7 @@ public List<KeylessSigningResult> sign(List<byte[]> artifactDigests)
 
       result.add(
           ImmutableKeylessSigningResult.builder()
-              .digest(Hex.toHexString(artifactDigest))
+              .digest(artifactDigest)
               .certPath(signingCert.getCertPath())
               .signature(signature)
               .entry(rekorResponse.getEntry())
diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessSigningResult.java b/sigstore-java/src/main/java/dev/sigstore/KeylessSigningResult.java
@@ -21,8 +21,8 @@
 
 @Value.Immutable
 public interface KeylessSigningResult {
-  /** The hex encoded sha256 hash digest of the artifact */
-  String getDigest();
+  /** The sha256 hash digest of the artifact */
+  byte[] getDigest();
 
   /** The full certificate chain provided by fulcio for the public key used to sign the artifact */
   CertPath getCertPath();
diff --git a/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java b/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java
@@ -50,7 +50,7 @@ static Bundle.Builder createBundleBuilder(KeylessSigningResult signingResult) {
                 .setMessageDigest(
                     HashOutput.newBuilder()
                         .setAlgorithm(HashAlgorithm.SHA2_256)
-                        .setDigest(ByteString.fromHex(signingResult.getDigest()))));
+                        .setDigest(ByteString.copyFrom(signingResult.getDigest()))));
   }
 
   private static VerificationMaterial.Builder buildVerificationMaterial(
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
@@ -30,7 +30,6 @@
 import java.util.Base64;
 import java.util.List;
 import java.util.UUID;
-import org.bouncycastle.util.encoders.Hex;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Disabled;
@@ -71,9 +70,7 @@ public void sign_production() throws Exception {
     var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
     for (var result : results) {
       verifier.verifyOnline(
-          Hex.decode(result.getDigest()),
-          Certificates.toPemBytes(result.getCertPath()),
-          result.getSignature());
+          result.getDigest(), Certificates.toPemBytes(result.getCertPath()), result.getSignature());
     }
   }
 
@@ -88,9 +85,7 @@ public void sign_staging() throws Exception {
     var verifier = KeylessVerifier.builder().sigstoreStagingDefaults().build();
     for (var result : results) {
       verifier.verifyOnline(
-          Hex.decode(result.getDigest()),
-          Certificates.toPemBytes(result.getCertPath()),
-          result.getSignature());
+          result.getDigest(), Certificates.toPemBytes(result.getCertPath()), result.getSignature());
     }
   }
 
@@ -108,9 +103,7 @@ public void sign_productionWithGithubOidc() throws Exception {
     var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
     for (var result : results) {
       verifier.verifyOnline(
-          Hex.decode(result.getDigest()),
-          Certificates.toPemBytes(result.getCertPath()),
-          result.getSignature());
+          result.getDigest(), Certificates.toPemBytes(result.getCertPath()), result.getSignature());
     }
   }
 
@@ -129,9 +122,7 @@ public void sign_stagingWithGithubOidc() throws Exception {
     var verifier = KeylessVerifier.builder().sigstoreStagingDefaults().build();
     for (var result : results) {
       verifier.verifyOnline(
-          Hex.decode(result.getDigest()),
-          Certificates.toPemBytes(result.getCertPath()),
-          result.getSignature());
+          result.getDigest(), Certificates.toPemBytes(result.getCertPath()), result.getSignature());
     }
   }
 
@@ -150,7 +141,7 @@ private void verifySigningResult(List<KeylessSigningResult> results)
 
       var hr = RekorTypes.getHashedRekord(result.getEntry());
       // check if ht rekor entry has the digest we sent
-      Assertions.assertEquals(Hex.toHexString(artifactDigest), result.getDigest());
+      Assertions.assertArrayEquals(artifactDigest, result.getDigest());
       // check if the rekor entry has the signature we sent
       Assertions.assertArrayEquals(
           Base64.getDecoder().decode(hr.getSignature().getContent()), result.getSignature());

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ static Bundle.Builder createBundleBuilder(KeylessSigningResult signingResult) {`
`50`	`50`	`.setMessageDigest(`
`51`	`51`	`HashOutput.newBuilder()`
`52`	`52`	`.setAlgorithm(HashAlgorithm.SHA2_256)`
`53`		`- .setDigest(ByteString.fromHex(signingResult.getDigest()))));`
	`53`	`+ .setDigest(ByteString.copyFrom(signingResult.getDigest()))));`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`private static VerificationMaterial.Builder buildVerificationMaterial(`