1use crate::nixbase32;
2use bstr::ByteSlice;
3use data_encoding::{BASE64, BASE64_NOPAD, HEXLOWER};
4use std::cmp::Ordering;
5use std::fmt::Display;
6use thiserror;
7
8mod algos;
9mod ca_hash;
10pub mod serde;
11
12pub use algos::HashAlgo;
13pub use ca_hash::CAHash;
14pub use ca_hash::HashMode as CAHashMode;
15
16#[derive(Clone, Debug, Eq, PartialEq)]
55pub enum NixHash {
56 Md5([u8; 16]),
57 Sha1([u8; 20]),
58 Sha256([u8; 32]),
59 Sha512(Box<[u8; 64]>),
60}
61
62impl Ord for NixHash {
67 fn cmp(&self, other: &NixHash) -> Ordering {
68 self.digest_as_bytes().cmp(other.digest_as_bytes())
69 }
70}
71
72impl PartialOrd for NixHash {
74 fn partial_cmp(&self, other: &NixHash) -> Option<Ordering> {
75 Some(self.cmp(other))
76 }
77}
78
79impl Display for NixHash {
83 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> {
84 self.write_sri_str(f)
85 }
86}
87
88impl NixHash {
89 pub fn algo(&self) -> HashAlgo {
91 match self {
92 NixHash::Md5(_) => HashAlgo::Md5,
93 NixHash::Sha1(_) => HashAlgo::Sha1,
94 NixHash::Sha256(_) => HashAlgo::Sha256,
95 NixHash::Sha512(_) => HashAlgo::Sha512,
96 }
97 }
98
99 pub fn digest_as_bytes(&self) -> &[u8] {
101 match self {
102 NixHash::Md5(digest) => digest,
103 NixHash::Sha1(digest) => digest,
104 NixHash::Sha256(digest) => digest,
105 NixHash::Sha512(digest) => digest.as_ref(),
106 }
107 }
108
109 pub fn from_algo_and_digest(algo: HashAlgo, digest: &[u8]) -> Result<NixHash, Error> {
113 if digest.len() != algo.digest_length() {
114 return Err(Error::InvalidDigestLength(algo));
115 }
116
117 Ok(match algo {
118 HashAlgo::Md5 => NixHash::Md5(digest.try_into().unwrap()),
119 HashAlgo::Sha1 => NixHash::Sha1(digest.try_into().unwrap()),
120 HashAlgo::Sha256 => NixHash::Sha256(digest.try_into().unwrap()),
121 HashAlgo::Sha512 => NixHash::Sha512(Box::new(digest.try_into().unwrap())),
122 })
123 }
124
125 pub fn from_nix_nixbase32(s: &str) -> Option<Self> {
128 let (tag, digest) = s.split_once(':')?;
129
130 (match tag {
131 "md5" => nixbase32::decode_fixed(digest).map(NixHash::Md5),
132 "sha1" => nixbase32::decode_fixed(digest).map(NixHash::Sha1),
133 "sha256" => nixbase32::decode_fixed(digest).map(NixHash::Sha256),
134 "sha512" => nixbase32::decode_fixed(digest)
135 .map(Box::new)
136 .map(NixHash::Sha512),
137 _ => return None,
138 })
139 .ok()
140 }
141
142 pub fn to_nix_nixbase32(&self) -> String {
144 format!(
145 "{}:{}",
146 self.algo(),
147 nixbase32::encode(self.digest_as_bytes())
148 )
149 }
150
151 pub fn from_sri(s: &str) -> Result<NixHash, Error> {
154 let (algo_str, digest_str) = s.split_once('-').ok_or(Error::InvalidSRI)?;
156
157 let algo: HashAlgo = algo_str.try_into()?;
159
160 let digest_str = {
164 let encoded_max_len = BASE64.encode_len(algo.digest_length());
165 if digest_str.len() > encoded_max_len {
166 &digest_str.as_bytes()[..encoded_max_len]
167 } else {
168 digest_str.as_bytes()
169 }
170 };
171
172 if digest_str.len() < BASE64_NOPAD.encode_len(algo.digest_length()) {
174 return Err(Error::InvalidDigestLength(algo));
175 }
176
177 let mut spec = BASE64_NOPAD.specification();
180 spec.check_trailing_bits = false;
181 let encoding = spec
182 .encoding()
183 .expect("Snix bug: failed to get the special base64 encoder for Nix SRI hashes");
184
185 let digest = encoding
186 .decode(digest_str.trim_end_with(|c| c == '='))
187 .map_err(Error::InvalidBase64Encoding)?;
188
189 Self::from_algo_and_digest(algo, &digest)
190 }
191
192 pub fn write_sri_str(&self, w: &mut impl std::fmt::Write) -> Result<(), std::fmt::Error> {
194 write!(
195 w,
196 "{}-{}",
197 self.algo(),
198 BASE64.encode(self.digest_as_bytes())
199 )
200 }
201
202 pub fn to_sri_string(&self) -> String {
204 let mut s = String::new();
205 self.write_sri_str(&mut s).unwrap();
206
207 s
208 }
209
210 pub fn to_nix_lowerhex_string(&self) -> String {
212 format!(
213 "{}:{}",
214 self.algo(),
215 HEXLOWER.encode(self.digest_as_bytes())
216 )
217 }
218
219 pub fn from_str(s: &str, want_algo: Option<HashAlgo>) -> Result<NixHash, Error> {
226 if let Ok(parsed_nixhash) = Self::from_sri(s) {
228 if let Some(algo) = want_algo {
230 if algo != parsed_nixhash.algo() {
231 return Err(Error::ConflictingHashAlgos(algo, parsed_nixhash.algo()));
232 }
233 }
234 return Ok(parsed_nixhash);
235 }
236
237 if let Some(parsed_nixhash) = {
239 if let Some(rest) = s.strip_prefix("sha1:") {
240 Some(decode_digest(rest.as_bytes(), HashAlgo::Sha1)?)
241 } else if let Some(rest) = s.strip_prefix("sha256:") {
242 Some(decode_digest(rest.as_bytes(), HashAlgo::Sha256)?)
243 } else if let Some(rest) = s.strip_prefix("sha512:") {
244 Some(decode_digest(rest.as_bytes(), HashAlgo::Sha512)?)
245 } else if let Some(rest) = s.strip_prefix("md5:") {
246 Some(decode_digest(rest.as_bytes(), HashAlgo::Md5)?)
247 } else {
248 None
249 }
250 } {
251 if let Some(algo) = want_algo {
253 if algo != parsed_nixhash.algo() {
254 return Err(Error::ConflictingHashAlgos(algo, parsed_nixhash.algo()));
255 }
256 }
257
258 return Ok(parsed_nixhash);
259 }
260
261 let algo = want_algo.ok_or_else(|| Error::MissingInlineHashAlgo(s.to_string()))?;
263 decode_digest(s.as_bytes(), algo)
264 }
265}
266
267#[derive(Debug, Eq, PartialEq, thiserror::Error)]
269pub enum Error {
270 #[error("invalid hash algo")]
271 InvalidAlgo,
272 #[error("invalid SRI string")]
273 InvalidSRI,
274 #[error("invalid digest length for algo {0}")]
275 InvalidDigestLength(HashAlgo),
276 #[error("invalid base16 encoding: {0}")]
277 InvalidBase16Encoding(data_encoding::DecodeError),
278 #[error("invalid base32 encoding: {0}")]
279 InvalidBase32Encoding(data_encoding::DecodeError),
280 #[error("invalid base64 encoding: {0}")]
281 InvalidBase64Encoding(data_encoding::DecodeError),
282 #[error("conflicting hash algo: {0} (hash_algo) vs {1} (inline)")]
283 ConflictingHashAlgos(HashAlgo, HashAlgo),
284 #[error("missing inline hash algo, but no externally-specified algo: {0:?}")]
285 MissingInlineHashAlgo(String),
286}
287
288fn decode_digest(s: &[u8], algo: HashAlgo) -> Result<NixHash, Error> {
292 let digest = if s.len() == HEXLOWER.encode_len(algo.digest_length()) {
295 HEXLOWER
296 .decode(s.as_ref())
297 .map_err(Error::InvalidBase16Encoding)?
298 } else if s.len() == nixbase32::encode_len(algo.digest_length()) {
299 nixbase32::decode(s).map_err(Error::InvalidBase32Encoding)?
300 } else if s.len() == BASE64.encode_len(algo.digest_length()) {
301 BASE64
302 .decode(s.as_ref())
303 .map_err(Error::InvalidBase64Encoding)?
304 } else {
305 Err(Error::InvalidDigestLength(algo))?
306 };
307
308 Ok(NixHash::from_algo_and_digest(algo, &digest).unwrap())
309}
310
311#[cfg(test)]
312mod tests {
313 use crate::nixhash::{HashAlgo, NixHash};
314 use hex_literal::hex;
315 use rstest::rstest;
316 use std::sync::LazyLock;
317
318 const NIXHASH_SHA1: NixHash = NixHash::Sha1(hex!("6016777997c30ab02413cf5095622cd7924283ac"));
319 const NIXHASH_SHA256: NixHash = NixHash::Sha256(hex!(
320 "a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39"
321 ));
322 static NIXHASH_SHA512: LazyLock<NixHash> = LazyLock::new(|| {
323 NixHash::Sha512(Box::new(hex!("ab40d0be3541f0774bba7815d13d10b03252e96e95f7dbb4ee99a3b431c21662fd6971a020160e39848aa5f305b9be0f78727b2b0789e39f124d21e92b8f39ef"))
324 )
325 });
326 const NIXHASH_MD5: NixHash = NixHash::Md5(hex!("c4874a8897440b393d862d8fd459073f"));
327
328 #[rstest]
330 #[case::sri_sha1("sha1-YBZ3eZfDCrAkE89QlWIs15JCg6w=", HashAlgo::Sha1, NIXHASH_SHA1)]
332 #[case::sri_sha256(
333 "sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=",
334 HashAlgo::Sha256,
335 NIXHASH_SHA256
336 )]
337 #[case::sri_sha512(
338 "sha512-q0DQvjVB8HdLungV0T0QsDJS6W6V99u07pmjtDHCFmL9aXGgIBYOOYSKpfMFub4PeHJ7KweJ458STSHpK4857w==",
339 HashAlgo::Sha512,
340 (*NIXHASH_SHA512).clone()
341 )]
342 #[case::lowerhex_sha1(
344 "sha1:6016777997c30ab02413cf5095622cd7924283ac",
345 HashAlgo::Sha1,
346 NIXHASH_SHA1
347 )]
348 #[case::lowerhex_sha256(
349 "sha256:a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39",
350 HashAlgo::Sha256,
351 NIXHASH_SHA256
352 )]
353 #[case::lowerhex_sha512("sha512:ab40d0be3541f0774bba7815d13d10b03252e96e95f7dbb4ee99a3b431c21662fd6971a020160e39848aa5f305b9be0f78727b2b0789e39f124d21e92b8f39ef", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
354 #[case::lowerhex_md5("md5:c4874a8897440b393d862d8fd459073f", HashAlgo::Md5, NIXHASH_MD5)]
355 #[case::lowerhex_md5("md5-xIdKiJdECzk9hi2P1FkHPw==", HashAlgo::Md5, NIXHASH_MD5)]
356 #[case::base64_sha1("sha1:YBZ3eZfDCrAkE89QlWIs15JCg6w=", HashAlgo::Sha1, NIXHASH_SHA1)]
358 #[case::base64_sha256(
359 "sha256:pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=",
360 HashAlgo::Sha256,
361 NIXHASH_SHA256
362 )]
363 #[case::base64_sha512("sha512:q0DQvjVB8HdLungV0T0QsDJS6W6V99u07pmjtDHCFmL9aXGgIBYOOYSKpfMFub4PeHJ7KweJ458STSHpK4857w==", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
364 #[case::base64_md5("md5:xIdKiJdECzk9hi2P1FkHPw==", HashAlgo::Md5, NIXHASH_MD5)]
365 #[case::nixbase32_sha1("sha1:mj1l54np5ii9al6g2cjb02n3jxwpf5k0", HashAlgo::Sha1, NIXHASH_SHA1)]
367 #[case::nixbase32_sha256(
368 "sha256:0fcxdvyzxr09shcbcxkv7l1b356dqxzp3ja68rhrg4yhbqarrkm5",
369 HashAlgo::Sha256,
370 NIXHASH_SHA256
371 )]
372 #[case::nixbase32_sha512("sha512:3pkk3rbx4hls4lzwf4hfavvf9w0zgmr0prsb2l47471c850f5lzsqhnq8qv98wrxssdpxwmdvlm4cmh20yx25bqp95pgw216nzd0h5b", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
373 #[case::nixbase32_md5("md5:1z0xcx93rdhqykj2s4jy44m1y4", HashAlgo::Md5, NIXHASH_MD5)]
374 fn from_str(#[case] s: &str, #[case] algo: HashAlgo, #[case] expected: NixHash) {
375 assert_eq!(
376 expected,
377 NixHash::from_str(s, Some(algo)).expect("must parse"),
378 "should parse"
379 );
380
381 assert_eq!(
383 expected,
384 NixHash::from_str(s, None).expect("must parse without algo too"),
385 "should parse"
386 );
387
388 if let Some(digest_str) = s
392 .strip_prefix("sha1:")
393 .or(s.strip_prefix("sha256:"))
394 .or(s.strip_prefix("sha512:"))
395 .or(s.strip_prefix("sha512:"))
396 {
397 assert_eq!(
398 expected,
399 NixHash::from_str(digest_str, Some(algo))
400 .expect("must parse digest-only if algo specified")
401 );
402 NixHash::from_str(digest_str, None)
403 .expect_err("must fail parsing digest-only if algo not specified");
404 }
405 }
406
407 #[test]
409 fn test_want_algo() {
410 NixHash::from_str("sha1-YBZ3eZfDCrAkE89QlWIs15JCg6w=", Some(HashAlgo::Md5))
411 .expect_err("parsing with conflicting want_algo should fail");
412
413 NixHash::from_str("sha1:YBZ3eZfDCrAkE89QlWIs15JCg6w=", Some(HashAlgo::Md5))
414 .expect_err("parsing with conflicting want_algo should fail");
415 }
416
417 #[test]
419 fn from_sri_str() {
420 let nix_hash = NixHash::from_sri("sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=")
421 .expect("must succeed");
422
423 assert_eq!(HashAlgo::Sha256, nix_hash.algo());
424 assert_eq!(
425 &hex!("a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39"),
426 nix_hash.digest_as_bytes()
427 )
428 }
429
430 #[rstest]
432 #[case::no_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ")]
433 #[case::too_little_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ=")]
434 #[case::correct_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ==")]
435 #[case::too_much_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ===")]
436 #[case::additional_suffix_ignored("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ== cheesecake")]
437 fn from_sri_str_sha512_paddings(#[case] sri_str: &str) {
438 let nix_hash = NixHash::from_sri(sri_str).expect("must succeed");
439
440 assert_eq!(HashAlgo::Sha512, nix_hash.algo());
441 assert_eq!(
442 &hex!("ee0f754c1bd8a18428ad14eaa3ead80ff8b96275af5012e7a8384f1f10490da056eec9ae3cc791a7a13a24e16e54df5bccdd109c7d53a14534bbd7360a300b11"),
443 nix_hash.digest_as_bytes()
444 )
445 }
446
447 #[test]
450 fn from_sri_str_truncated() {
451 NixHash::from_sri("sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank").expect_err("must fail");
452 }
453
454 #[test]
456 fn from_sri_str_unsupported() {
457 NixHash::from_sri(
458 "sha384-o4UVSl89mIB0sFUK+3jQbG+C9Zc9dRlV/Xd3KAvXEbhqxu0J5OAdg6b6VHKHwQ7U",
459 )
460 .expect_err("must fail");
461 }
462
463 #[test]
465 fn from_sri_str_invalid_base64() {
466 NixHash::from_sri("sha256-invalid=base64").expect_err("must fail");
467 }
468
469 #[test]
478 fn sha256_broken_padding() {
479 let broken_base64 = "fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8";
480 let expected_digest =
482 hex!("7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f");
483
484 let nix_hash = NixHash::from_str(
486 &format!("sha256-{}", &broken_base64),
487 Some(HashAlgo::Sha256),
488 )
489 .expect("must succeed");
490 assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
491
492 let nix_hash =
494 NixHash::from_str(&format!("sha256-{}", &broken_base64), None).expect("must succeed");
495 assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
496
497 NixHash::from_str(broken_base64, Some(HashAlgo::Sha256)).expect_err("must fail");
499 }
500
501 #[test]
508 fn sha256_weird_base64() {
509 let weird_base64 = "syceJMUEknBDCHK8eGs6rUU3IQn+HnQfURfCrDxYPa9=";
510 let expected_digest =
511 hex!("b3271e24c5049270430872bc786b3aad45372109fe1e741f5117c2ac3c583daf");
512
513 let nix_hash =
514 NixHash::from_str(&format!("sha256-{}", &weird_base64), Some(HashAlgo::Sha256))
515 .expect("must succeed");
516 assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
517
518 let nix_hash =
520 NixHash::from_str(&format!("sha256-{}", &weird_base64), None).expect("must succeed");
521 assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
522
523 NixHash::from_str(weird_base64, Some(HashAlgo::Sha256)).expect_err("must fail");
525 }
526
527 #[test]
528 fn serialize_deserialize() {
529 let nixhash_actual = NixHash::Sha256(hex!(
530 "b3271e24c5049270430872bc786b3aad45372109fe1e741f5117c2ac3c583daf"
531 ));
532 let nixhash_str_json = "\"sha256-syceJMUEknBDCHK8eGs6rUU3IQn+HnQfURfCrDxYPa8=\"";
533
534 let serialized = serde_json::to_string(&nixhash_actual).expect("can serialize");
535
536 assert_eq!(nixhash_str_json, &serialized);
537
538 let deserialized: NixHash =
539 serde_json::from_str(nixhash_str_json).expect("must deserialize");
540 assert_eq!(&nixhash_actual, &deserialized);
541 }
542}