Merge pull request #108 from dirkmueller/fips140

Switch to sha256 from md5

Author: dirkmueller

cmd/container-suseconnect/main.go

@@ -126,7 +126,7 @@ func requestProducts() ([]cs.Product, error) {
 		suseConnectData.Insecure = false
 
 		if cloudCfg.Ca != "" {
-			regionsrv.SafeCAFile(cloudCfg.Ca)
+			regionsrv.SaveCAFile(cloudCfg.Ca)
 		}
 
 		regionsrv.UpdateHostsFile(cloudCfg.ServerFqdn, cloudCfg.ServerIP)

internal/regionsrv/ca.go

@@ -15,16 +15,17 @@
 package regionsrv
 
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"io"
 	"os"
 	"os/exec"
 	"strings"
 )
 
 var (
-	hashFilePath = "/etc/pki/containerbuild-regionsrv.md5"
-	caFilePath   = "/etc/pki/trust/anchors/containerbuild-regionsrv.pem"
+	oldHashFilePath = "/etc/pki/containerbuild-regionsrv.md5"
+	hashFilePath    = "/etc/pki/containerbuild-regionsrv.sha256"
+	caFilePath      = "/etc/pki/trust/anchors/containerbuild-regionsrv.pem"
 )
 
 // commander is a very simple interface that just implements the `Run` function,
@@ -34,7 +35,7 @@ type commander interface {
 	Run() error
 }
 
-// Returns true if the CA file has to be updated, false otherwise.
+// Returns true if the CA file needs an update, false otherwise.
 func updateNeeded(contents string) bool {
 	if _, err := os.Stat(hashFilePath); os.IsNotExist(err) {
 		return true
@@ -45,24 +46,25 @@ func updateNeeded(contents string) bool {
 		return true
 	}
 
-	hash := md5.New()
+	hash := sha256.New()
 	io.WriteString(hash, contents)
 
 	return strings.TrimSpace(string(data)) != string(hash.Sum(nil))
 }
 
-// safeCAFile implements `SafeCAFile` by assuming a `commander` type will be
+// saveCAFile implements `SaveCAFile` by assuming a `commander` type will be
 // given.
-func safeCAFile(cmd commander, contents string) error {
+func saveCAFile(cmd commander, contents string) error {
 	if !updateNeeded(contents) {
 		return nil
 	}
 
 	// Nuke everything before populating things back again.
+	os.Remove(oldHashFilePath)
 	os.Remove(hashFilePath)
 	os.Remove(caFilePath)
 
-	// Safe the file
+	// Save the file
 	err := os.WriteFile(caFilePath, []byte(contents), 0o644)
 	if err != nil {
 		return err
@@ -73,18 +75,18 @@ func safeCAFile(cmd commander, contents string) error {
 		return err
 	}
 
-	// Safe the new checksum
-	hash := md5.New()
+	// Save the new checksum
+	hash := sha256.New()
 	io.WriteString(hash, contents)
 	os.WriteFile(hashFilePath, hash.Sum(nil), 0o644)
 
 	return nil
 }
 
-// SafeCAFile creates a certificate file into the right location if it isn't
+// SaveCAFile creates a certificate file into the right location if it isn't
 // already there. This function will call `update-ca-certificates` whenever the
 // CA file has been updated.
-func SafeCAFile(contents string) error {
+func SaveCAFile(contents string) error {
 	cmd := exec.Command("update-ca-certificates")
-	return safeCAFile(cmd, contents)
+	return saveCAFile(cmd, contents)
 }

internal/regionsrv/ca_test.go

@@ -15,7 +15,7 @@
 package regionsrv
 
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@@ -41,7 +41,7 @@ func (t testCommand) Run() error {
 
 // Run this before each test to get the fixtures path right.
 func beforeTest() {
-	hashFilePath = fixturesPath("valid.md5")
+	hashFilePath = fixturesPath("valid.sha256")
 	caFilePath = fixturesPath("valid.pem")
 }
 
@@ -85,14 +85,14 @@ func TestUpdateIsNeededCouldNotReadFile(t *testing.T) {
 	}
 }
 
-func TestSafeCAFileBadWrite(t *testing.T) {
+func TestSaveCAFileBadWrite(t *testing.T) {
 	beforeTest()
 
-	hashFilePath = fixturesPath(fmt.Sprintf("file%v.md5", rand.Int()))
+	hashFilePath = fixturesPath(fmt.Sprintf("file%v.sha256", rand.Int()))
 	caFilePath = "/wubalubadubdub"
 	cmd := testCommand{shouldFail: false}
 
-	err := safeCAFile(cmd, "valid")
+	err := saveCAFile(cmd, "valid")
 	os.Remove(hashFilePath)
 	os.Remove(caFilePath)
 
@@ -101,14 +101,14 @@ func TestSafeCAFileBadWrite(t *testing.T) {
 	}
 }
 
-func TestSafeCAFileBadCommand(t *testing.T) {
+func TestSaveCAFileBadCommand(t *testing.T) {
 	beforeTest()
 
-	hashFilePath = fixturesPath(fmt.Sprintf("file%v.md5", rand.Int()))
+	hashFilePath = fixturesPath(fmt.Sprintf("file%v.sha256", rand.Int()))
 	caFilePath = fixturesPath(fmt.Sprintf("file%v.pem", rand.Int()))
 	cmd := testCommand{shouldFail: true}
 
-	err := safeCAFile(cmd, "valid")
+	err := saveCAFile(cmd, "valid")
 	os.Remove(hashFilePath)
 	os.Remove(caFilePath)
 
@@ -121,13 +121,13 @@ func TestSafeCAFileBadCommand(t *testing.T) {
 	}
 }
 
-func TestSafeCAFileSuccess(t *testing.T) {
+func TestSaveCAFileSuccess(t *testing.T) {
 	beforeTest()
 
-	hashFilePath = fixturesPath("tmp.md5")
+	hashFilePath = fixturesPath("tmp.sha256")
 	cmd := testCommand{shouldFail: false}
 
-	err := safeCAFile(cmd, "valid")
+	err := saveCAFile(cmd, "valid")
 	if err != nil {
 		os.Remove(hashFilePath)
 		t.Fatalf("Expected error to be nil: %v\n", err)
@@ -136,7 +136,7 @@ func TestSafeCAFileSuccess(t *testing.T) {
 	b, _ := os.ReadFile(hashFilePath)
 	os.Remove(hashFilePath)
 
-	hash := md5.New()
+	hash := sha256.New()
 	io.WriteString(hash, "valid")
 	if string(b) != string(hash.Sum(nil)) {
 		t.Fatal("Bad checksum")

internal/regionsrv/fixtures/valid.md5

@@ -0,0 +1 @@
+ìeO¬•™ö.yâpj¾ò=û|À…ª†ÛM†•ð·ѳ

internal/regionsrv/fixtures/valid.sha256

@@ -75,8 +75,8 @@ func PrintResponse(params map[string]string) error {
 		return errors.New("no credentials given")
 	}
 
-	// Safe the contents of the CA file if it doesn't exist already.
-	if err = SafeCAFile(cfg.Ca); err != nil {
+	// Save the contents of the CA file if it doesn't exist already.
+	if err = SaveCAFile(cfg.Ca); err != nil {
 		return err
 	}