Skip to content

Commit

Permalink
Use SHA-512 for libraries verification
Browse files Browse the repository at this point in the history
  • Loading branch information
Yeregorix committed Nov 21, 2024
1 parent 20778e8 commit 7ebe3f7
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 88 deletions.
1 change: 1 addition & 0 deletions build-logic/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ plugins {
indra {
javaVersions {
strictVersions(false) // it's just buildscript, no need for anything fancy
target(17)
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,35 +54,20 @@
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import java.util.stream.Collectors;

public abstract class OutputDependenciesToJson extends DefaultTask {

// From http://stackoverflow.com/questions/9655181/convert-from-byte-array-to-hex-string-in-java
private static final char[] hexArray = "0123456789abcdef".toCharArray();
private static final char[] hexChars = "0123456789abcdef".toCharArray();

private static final Gson GSON = new GsonBuilder().setPrettyPrinting().create();

/**
* A single dependency.
*/
static final class DependencyDescriptor implements Comparable<DependencyDescriptor> {

final String group;
final String module;
final String version;
final String md5;

DependencyDescriptor(final String group, final String module, final String version, final String md5) {
this.group = group;
this.module = module;
this.version = version;
this.md5 = md5;
}

record DependencyDescriptor(String group, String module, String version, String sha512) implements Comparable<DependencyDescriptor> {
@Override
public int compareTo(final DependencyDescriptor that) {
final int group = this.group.compareTo(that.group);
Expand All @@ -97,35 +82,6 @@ public int compareTo(final DependencyDescriptor that) {

return this.version.compareTo(that.version);
}

@Override
public boolean equals(final Object other) {
if (this == other) {
return true;
}
if (other == null || this.getClass() != other.getClass()) {
return false;
}
final DependencyDescriptor that = (DependencyDescriptor) other;
return Objects.equals(this.group, that.group)
&& Objects.equals(this.module, that.module)
&& Objects.equals(this.version, that.version);
}

@Override
public int hashCode() {
return Objects.hash(this.group, this.module, this.version);
}

@Override
public String toString() {
return "DependencyDescriptor{" +
"group='" + this.group + '\'' +
", module='" + this.module + '\'' +
", version='" + this.version + '\'' +
", md5='" + this.md5 + '\'' +
'}';
}
}

/**
Expand All @@ -134,14 +90,7 @@ public String toString() {
* <p>At runtime, transitive dependencies won't be traversed, so this needs to
* include direct + transitive depends.</p>
*/
static final class DependencyManifest {

final Map<String, List<DependencyDescriptor>> dependencies;

DependencyManifest(final Map<String, List<DependencyDescriptor>> dependencies) {
this.dependencies = dependencies;
}
}
record DependencyManifest(Map<String, List<DependencyDescriptor>> dependencies) {}

/**
* Configuration to gather dependency artifacts from.
Expand Down Expand Up @@ -225,41 +174,42 @@ private List<DependencyDescriptor> configToDescriptor(final Set<ResolvedArtifact
.map(dependency -> {
final ModuleComponentIdentifier id = (ModuleComponentIdentifier) dependency.getId().getComponentIdentifier();

// Get file input stream for reading the file content
final String md5hash;
final MessageDigest digest;
try {
digest = MessageDigest.getInstance("SHA-512");
} catch (final NoSuchAlgorithmException e) {
throw new GradleException("Failed to find digest algorithm", e);
}

try (final InputStream in = Files.newInputStream(dependency.getFile().toPath())) {
final MessageDigest hasher = MessageDigest.getInstance("MD5");
final byte[] buf = new byte[4096];
int read;
while ((read = in.read(buf)) != -1) {
hasher.update(buf, 0, read);
digest.update(buf, 0, read);
}

md5hash = OutputDependenciesToJson.toHexString(hasher.digest());
} catch (final IOException | NoSuchAlgorithmException ex) {
throw new GradleException("Failed to create hash for " + dependency, ex);
} catch (final IOException e) {
throw new GradleException("Failed to digest file for " + dependency, e);
}

// create descriptor
return new DependencyDescriptor(
id.getGroup(),
id.getModule(),
id.getVersion(),
md5hash
OutputDependenciesToJson.toHexString(digest.digest())
);
})
.sorted(Comparator.naturalOrder()) // sort dependencies for stable output
.collect(Collectors.toList());
}

public static String toHexString(final byte[] bytes) {
final char[] hexChars = new char[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) {
final int v = bytes[j] & 0xFF;
hexChars[j * 2] = OutputDependenciesToJson.hexArray[v >>> 4];
hexChars[j * 2 + 1] = OutputDependenciesToJson.hexArray[v & 0x0F];
final char[] chars = new char[bytes.length << 1];
int i = 0;
for (final byte b : bytes) {
chars[i++] = OutputDependenciesToJson.hexChars[(b >> 4) & 15];
chars[i++] = OutputDependenciesToJson.hexChars[b & 15];
}
return new String(hexChars);
return new String(chars);
}

public static class ConfigurationHolder {
Expand All @@ -274,7 +224,7 @@ public Provider<Set<String>> getIds() {
return this.getArtifacts().map(set -> set.stream()
.map(art -> art.getId().getComponentIdentifier())
.filter(id -> id instanceof ModuleComponentIdentifier)
.map(art -> art.getDisplayName())
.map(ComponentIdentifier::getDisplayName)
.collect(Collectors.toSet()));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,8 @@
import java.util.concurrent.TimeUnit;

public final class LibraryManager {
public static final String SPONGE_NEXUS_DOWNLOAD_URL = "https://repo.spongepowered.org/service/rest/v1/search/assets?md5=%s&maven"
+ ".groupId=%s&maven.artifactId=%s&maven.baseVersion=%s&maven.extension=jar";
public static final String SPONGE_NEXUS_DOWNLOAD_URL = "https://repo.spongepowered.org/service/rest/v1/search/assets?sha512=%s"
+ "&maven.groupId=%s&maven.artifactId=%s&maven.baseVersion=%s&maven.extension=jar";

private final Logger logger;
private final boolean checkLibraryHashes;
Expand Down Expand Up @@ -150,17 +150,17 @@ private Set<Library> scheduleDownloads(
return depFile;
}

if (LibraryUtils.validateDigest("MD5", dep.md5(), depFile)) {
if (LibraryUtils.validateDigest("SHA-512", dep.sha512(), depFile)) {
this.logger.debug("'{}' verified!", depFile);
return depFile;
}

this.logger.error("Checksum verification failed: Expected {}. Deleting cached '{}'...", dep.md5(), depFile);
this.logger.error("Checksum verification failed: Expected {}. Deleting cached '{}'...", dep.sha512(), depFile);
Files.delete(depFile);
}

final URL requestUrl = URI.create(String.format(LibraryManager.SPONGE_NEXUS_DOWNLOAD_URL,
dep.md5(), dep.group(), dep.module(), dep.version())).toURL();
dep.sha512(), dep.group(), dep.module(), dep.version())).toURL();
final SonatypeResponse response = this.getResponseFor(this.gson, requestUrl);
if (response.items().isEmpty()) {
failures.add("No data received from '" + requestUrl + "'!");
Expand All @@ -170,7 +170,7 @@ private Set<Library> scheduleDownloads(
final SonatypeResponse.Item item = response.items().get(0);

if (checkHashes) {
LibraryUtils.downloadAndVerifyDigest(this.logger, item.downloadUrl(), depFile, "MD5", item.checksum().md5());
LibraryUtils.downloadAndVerifyDigest(this.logger, item.downloadUrl(), depFile, "SHA-512", item.checksum().sha512());
} else {
LibraryUtils.download(this.logger, item.downloadUrl(), depFile, true);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
import java.util.concurrent.Executor;

public final class LibraryUtils {
private static final char[] hexArray = "0123456789abcdef".toCharArray();
private static final char[] hexChars = "0123456789abcdef".toCharArray();

private LibraryUtils() {
}
Expand All @@ -59,15 +59,14 @@ public static <T> CompletableFuture<T> asyncFailableFuture(final Callable<T> act
return future;
}

// From http://stackoverflow.com/questions/9655181/convert-from-byte-array-to-hex-string-in-java
public static String toHexString(final byte[] bytes) {
char[] hexChars = new char[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) {
int v = bytes[j] & 0xFF;
hexChars[j * 2] = LibraryUtils.hexArray[v >>> 4];
hexChars[j * 2 + 1] = LibraryUtils.hexArray[v & 0x0F];
final char[] chars = new char[bytes.length << 1];
int i = 0;
for (final byte b : bytes) {
chars[i++] = LibraryUtils.hexChars[(b >> 4) & 15];
chars[i++] = LibraryUtils.hexChars[b & 15];
}
return new String(hexChars);
return new String(chars);
}

public static boolean validateDigest(final String algorithm, final String expectedHash, final Path path) throws IOException, NoSuchAlgorithmException {
Expand Down Expand Up @@ -175,7 +174,7 @@ public static void transferAndVerifyDigest(final Logger logger, final InputStrea

final String fileDigest = LibraryUtils.toHexString(digest.digest());

if (expected.equalsIgnoreCase(fileDigest)) {
if (expected.equals(fileDigest)) {
logger.info("Successfully processed {} and verified checksum!", name);
} else {
Files.delete(file);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,5 @@
import java.util.Map;

public record Libraries(Map<String, List<Dependency>> dependencies) {
public record Dependency(String group, String module, String version, String md5) {}
public record Dependency(String group, String module, String version, String sha512) {}
}
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,5 @@

public record SonatypeResponse(List<Item> items, String continuationToken) {
public record Item(URL downloadUrl, String path, String id, String repository, String format, Checksum checksum) {}
public record Checksum(String md5, String sha1, String sha256) {}
public record Checksum(String sha512) {}
}

0 comments on commit 7ebe3f7

Please sign in to comment.