nix_compat/nixhash/
mod.rs

1use crate::nixbase32;
2use bstr::ByteSlice;
3use data_encoding::{BASE64, BASE64_NOPAD, HEXLOWER};
4use std::cmp::Ordering;
5use std::fmt::Display;
6use thiserror;
7
8mod algos;
9mod ca_hash;
10pub mod serde;
11
12pub use algos::HashAlgo;
13pub use ca_hash::CAHash;
14pub use ca_hash::HashMode as CAHashMode;
15
16/// NixHash represents hashes known by Nix (md5/sha1/sha256/sha512).
17///
18/// Internally, these are represented as an enum of 4 kinds (the latter being
19/// boxed for size reasons, as we rarely use sha512, having a pointer there
20/// is fine).
21///
22/// There's [Self::algo] and [Self::digest_as_bytes] accessors,
23/// as well as a [Self::from_algo_and_digest] constructor.
24///
25/// A few methods to parse (`from_$format_$encoding`) and emit
26/// (`to_$format_$encoding`) various formats and encodings Nix uses.
27///
28/// # Formats
29/// The following formats exist:
30///
31/// ## Nix Format
32/// Lowercase algo, followed by a colon, then the digest.
33///
34/// ## SRI Format
35/// Uses the lowercase algo, followed by a `-`, then the digest (base64-encoded).
36/// This is also used in the Display implementation.
37///
38/// Contrary to the SRI spec, Nix doesn't have an understanding of passing
39/// multiple hashes (with different algos) in SRI hashes.
40/// It instead simply cuts everything off after the expected length for the
41/// specified algo, and tries to parse the rest in permissive base64 (allowing
42/// missing padding).
43///
44/// ## Digest only
45/// It's possible to not specify the algo at all. In that case, the expected
46/// NixHash algo MUST be provided externally.
47///
48/// # Encodings
49/// For "Nix" and "Digest only" formats, the following encodings are supported:
50///
51/// - lowerhex,
52/// - nixbase32,
53/// - base64 (StdEncoding)
54#[derive(Clone, Debug, Eq, PartialEq)]
55pub enum NixHash {
56    Md5([u8; 16]),
57    Sha1([u8; 20]),
58    Sha256([u8; 32]),
59    Sha512(Box<[u8; 64]>),
60}
61
62/// Same order as sorting the corresponding nixbase32 strings.
63///
64/// This order is used in the ATerm serialization of a derivation
65/// and thus affects the calculated output hash.
66impl Ord for NixHash {
67    fn cmp(&self, other: &NixHash) -> Ordering {
68        self.digest_as_bytes().cmp(other.digest_as_bytes())
69    }
70}
71
72// See Ord for reason to implement this manually.
73impl PartialOrd for NixHash {
74    fn partial_cmp(&self, other: &NixHash) -> Option<Ordering> {
75        Some(self.cmp(other))
76    }
77}
78
79// This provides a Display impl, which happens to be SRI right now.
80// If you explicitly care about the format, use [NixHash::to_sri_string]
81// or [NixHash::write_sri_str].
82impl Display for NixHash {
83    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> {
84        self.write_sri_str(f)
85    }
86}
87
88impl NixHash {
89    /// returns the algo as [HashAlgo].
90    pub fn algo(&self) -> HashAlgo {
91        match self {
92            NixHash::Md5(_) => HashAlgo::Md5,
93            NixHash::Sha1(_) => HashAlgo::Sha1,
94            NixHash::Sha256(_) => HashAlgo::Sha256,
95            NixHash::Sha512(_) => HashAlgo::Sha512,
96        }
97    }
98
99    /// returns the digest as variable-length byte slice.
100    pub fn digest_as_bytes(&self) -> &[u8] {
101        match self {
102            NixHash::Md5(digest) => digest,
103            NixHash::Sha1(digest) => digest,
104            NixHash::Sha256(digest) => digest,
105            NixHash::Sha512(digest) => digest.as_ref(),
106        }
107    }
108
109    /// Constructs a new [NixHash] by specifying [HashAlgo] and digest.
110    /// It can fail if the passed digest length doesn't match what's expected for
111    /// the passed algo.
112    pub fn from_algo_and_digest(algo: HashAlgo, digest: &[u8]) -> Result<NixHash, Error> {
113        if digest.len() != algo.digest_length() {
114            return Err(Error::InvalidDigestLength(algo));
115        }
116
117        Ok(match algo {
118            HashAlgo::Md5 => NixHash::Md5(digest.try_into().unwrap()),
119            HashAlgo::Sha1 => NixHash::Sha1(digest.try_into().unwrap()),
120            HashAlgo::Sha256 => NixHash::Sha256(digest.try_into().unwrap()),
121            HashAlgo::Sha512 => NixHash::Sha512(Box::new(digest.try_into().unwrap())),
122        })
123    }
124
125    /// Constructs a new [NixHash] from the Nix default hash format,
126    /// the inverse of [Self::to_nix_nixbase32].
127    pub fn from_nix_nixbase32(s: &str) -> Option<Self> {
128        let (tag, digest) = s.split_once(':')?;
129
130        (match tag {
131            "md5" => nixbase32::decode_fixed(digest).map(NixHash::Md5),
132            "sha1" => nixbase32::decode_fixed(digest).map(NixHash::Sha1),
133            "sha256" => nixbase32::decode_fixed(digest).map(NixHash::Sha256),
134            "sha512" => nixbase32::decode_fixed(digest)
135                .map(Box::new)
136                .map(NixHash::Sha512),
137            _ => return None,
138        })
139        .ok()
140    }
141
142    /// Formats a [NixHash] in the Nix nixbase32 format.
143    pub fn to_nix_nixbase32(&self) -> String {
144        format!(
145            "{}:{}",
146            self.algo(),
147            nixbase32::encode(self.digest_as_bytes())
148        )
149    }
150
151    /// Parses a Nix SRI string to a NixHash.
152    /// (See caveats in [Self] on the deviations from the SRI spec)
153    pub fn from_sri(s: &str) -> Result<NixHash, Error> {
154        // split at the first occurence of "-"
155        let (algo_str, digest_str) = s.split_once('-').ok_or(Error::InvalidSRI)?;
156
157        // try to map the part before that `-` to a supported hash algo:
158        let algo: HashAlgo = algo_str.try_into()?;
159
160        // For the digest string, Nix ignores everything after the expected BASE64
161        // (with padding) length, to account for the fact SRI allows specifying more
162        // than one checksum, so shorten it.
163        let digest_str = {
164            let encoded_max_len = BASE64.encode_len(algo.digest_length());
165            if digest_str.len() > encoded_max_len {
166                &digest_str.as_bytes()[..encoded_max_len]
167            } else {
168                digest_str.as_bytes()
169            }
170        };
171
172        // if the digest string is too small to fit even the BASE64_NOPAD version, bail out.
173        if digest_str.len() < BASE64_NOPAD.encode_len(algo.digest_length()) {
174            return Err(Error::InvalidDigestLength(algo));
175        }
176
177        // trim potential padding, and use a version that does not do trailing bit
178        // checking.
179        let mut spec = BASE64_NOPAD.specification();
180        spec.check_trailing_bits = false;
181        let encoding = spec
182            .encoding()
183            .expect("Snix bug: failed to get the special base64 encoder for Nix SRI hashes");
184
185        let digest = encoding
186            .decode(digest_str.trim_end_with(|c| c == '='))
187            .map_err(Error::InvalidBase64Encoding)?;
188
189        Self::from_algo_and_digest(algo, &digest)
190    }
191
192    /// Writes a [NixHash] in SRI format to a [std::fmt::Write].
193    pub fn write_sri_str(&self, w: &mut impl std::fmt::Write) -> Result<(), std::fmt::Error> {
194        write!(
195            w,
196            "{}-{}",
197            self.algo(),
198            BASE64.encode(self.digest_as_bytes())
199        )
200    }
201
202    /// Formats a [NixHash] to an SRI string.
203    pub fn to_sri_string(&self) -> String {
204        let mut s = String::new();
205        self.write_sri_str(&mut s).unwrap();
206
207        s
208    }
209
210    /// Formats a [NixHash] in the Nix lowerhex format.
211    pub fn to_nix_lowerhex_string(&self) -> String {
212        format!(
213            "{}:{}",
214            self.algo(),
215            HEXLOWER.encode(self.digest_as_bytes())
216        )
217    }
218
219    /// This parses all known output formats for NixHash.
220    /// See [NixHash] for a list.
221    /// An optional algo needs to be provided, which is mandatory to be specified if
222    /// the "digest only" format is used.
223    /// In other cases, consistency of an optionally externally configured algo
224    /// with the one parsed is ensured.
225    pub fn from_str(s: &str, want_algo: Option<HashAlgo>) -> Result<NixHash, Error> {
226        // Check for SRI hashes.
227        if let Ok(parsed_nixhash) = Self::from_sri(s) {
228            // ensure the algo matches with what has been passed externally, if so.
229            if let Some(algo) = want_algo {
230                if algo != parsed_nixhash.algo() {
231                    return Err(Error::ConflictingHashAlgos(algo, parsed_nixhash.algo()));
232                }
233            }
234            return Ok(parsed_nixhash);
235        }
236
237        // Check for $algo:$digest style NixHash.
238        if let Some(parsed_nixhash) = {
239            if let Some(rest) = s.strip_prefix("sha1:") {
240                Some(decode_digest(rest.as_bytes(), HashAlgo::Sha1)?)
241            } else if let Some(rest) = s.strip_prefix("sha256:") {
242                Some(decode_digest(rest.as_bytes(), HashAlgo::Sha256)?)
243            } else if let Some(rest) = s.strip_prefix("sha512:") {
244                Some(decode_digest(rest.as_bytes(), HashAlgo::Sha512)?)
245            } else if let Some(rest) = s.strip_prefix("md5:") {
246                Some(decode_digest(rest.as_bytes(), HashAlgo::Md5)?)
247            } else {
248                None
249            }
250        } {
251            // ensure the algo matches with what has been passed externally, if so.
252            if let Some(algo) = want_algo {
253                if algo != parsed_nixhash.algo() {
254                    return Err(Error::ConflictingHashAlgos(algo, parsed_nixhash.algo()));
255                }
256            }
257
258            return Ok(parsed_nixhash);
259        }
260
261        // We're left with the bare digest case, so there MUST be an externally-passed algo.
262        let algo = want_algo.ok_or_else(|| Error::MissingInlineHashAlgo(s.to_string()))?;
263        decode_digest(s.as_bytes(), algo)
264    }
265}
266
267/// Errors related to NixHash construction.
268#[derive(Debug, Eq, PartialEq, thiserror::Error)]
269pub enum Error {
270    #[error("invalid hash algo")]
271    InvalidAlgo,
272    #[error("invalid SRI string")]
273    InvalidSRI,
274    #[error("invalid digest length for algo {0}")]
275    InvalidDigestLength(HashAlgo),
276    #[error("invalid base16 encoding: {0}")]
277    InvalidBase16Encoding(data_encoding::DecodeError),
278    #[error("invalid base32 encoding: {0}")]
279    InvalidBase32Encoding(data_encoding::DecodeError),
280    #[error("invalid base64 encoding: {0}")]
281    InvalidBase64Encoding(data_encoding::DecodeError),
282    #[error("conflicting hash algo: {0} (hash_algo) vs {1} (inline)")]
283    ConflictingHashAlgos(HashAlgo, HashAlgo),
284    #[error("missing inline hash algo, but no externally-specified algo: {0:?}")]
285    MissingInlineHashAlgo(String),
286}
287
288/// Decode a plain digest depending on the hash algo specified externally.
289/// hexlower, nixbase32 and base64 encodings are supported - the encoding is
290/// inferred from the input length.
291fn decode_digest(s: &[u8], algo: HashAlgo) -> Result<NixHash, Error> {
292    // for the chosen hash algo, calculate the expected (decoded) digest length
293    // (as bytes)
294    let digest = if s.len() == HEXLOWER.encode_len(algo.digest_length()) {
295        HEXLOWER
296            .decode(s.as_ref())
297            .map_err(Error::InvalidBase16Encoding)?
298    } else if s.len() == nixbase32::encode_len(algo.digest_length()) {
299        nixbase32::decode(s).map_err(Error::InvalidBase32Encoding)?
300    } else if s.len() == BASE64.encode_len(algo.digest_length()) {
301        BASE64
302            .decode(s.as_ref())
303            .map_err(Error::InvalidBase64Encoding)?
304    } else {
305        Err(Error::InvalidDigestLength(algo))?
306    };
307
308    Ok(NixHash::from_algo_and_digest(algo, &digest).unwrap())
309}
310
311#[cfg(test)]
312mod tests {
313    use crate::nixhash::{HashAlgo, NixHash};
314    use hex_literal::hex;
315    use rstest::rstest;
316    use std::sync::LazyLock;
317
318    const NIXHASH_SHA1: NixHash = NixHash::Sha1(hex!("6016777997c30ab02413cf5095622cd7924283ac"));
319    const NIXHASH_SHA256: NixHash = NixHash::Sha256(hex!(
320        "a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39"
321    ));
322    static NIXHASH_SHA512: LazyLock<NixHash> = LazyLock::new(|| {
323        NixHash::Sha512(Box::new(hex!("ab40d0be3541f0774bba7815d13d10b03252e96e95f7dbb4ee99a3b431c21662fd6971a020160e39848aa5f305b9be0f78727b2b0789e39f124d21e92b8f39ef"))
324        )
325    });
326    const NIXHASH_MD5: NixHash = NixHash::Md5(hex!("c4874a8897440b393d862d8fd459073f"));
327
328    /// Test parsing a hash string in various formats, and also when/how the out-of-band algo is needed.
329    #[rstest]
330    // regular SRI hashes. We test some funny encoding edge cases in a separate test.
331    #[case::sri_sha1("sha1-YBZ3eZfDCrAkE89QlWIs15JCg6w=", HashAlgo::Sha1, NIXHASH_SHA1)]
332    #[case::sri_sha256(
333        "sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=",
334        HashAlgo::Sha256,
335        NIXHASH_SHA256
336    )]
337    #[case::sri_sha512(
338        "sha512-q0DQvjVB8HdLungV0T0QsDJS6W6V99u07pmjtDHCFmL9aXGgIBYOOYSKpfMFub4PeHJ7KweJ458STSHpK4857w==",
339        HashAlgo::Sha512,
340        (*NIXHASH_SHA512).clone()
341    )]
342    // lowerhex
343    #[case::lowerhex_sha1(
344        "sha1:6016777997c30ab02413cf5095622cd7924283ac",
345        HashAlgo::Sha1,
346        NIXHASH_SHA1
347    )]
348    #[case::lowerhex_sha256(
349        "sha256:a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39",
350        HashAlgo::Sha256,
351        NIXHASH_SHA256
352    )]
353    #[case::lowerhex_sha512("sha512:ab40d0be3541f0774bba7815d13d10b03252e96e95f7dbb4ee99a3b431c21662fd6971a020160e39848aa5f305b9be0f78727b2b0789e39f124d21e92b8f39ef", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
354    #[case::lowerhex_md5("md5:c4874a8897440b393d862d8fd459073f", HashAlgo::Md5, NIXHASH_MD5)]
355    #[case::lowerhex_md5("md5-xIdKiJdECzk9hi2P1FkHPw==", HashAlgo::Md5, NIXHASH_MD5)]
356    // base64
357    #[case::base64_sha1("sha1:YBZ3eZfDCrAkE89QlWIs15JCg6w=", HashAlgo::Sha1, NIXHASH_SHA1)]
358    #[case::base64_sha256(
359        "sha256:pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=",
360        HashAlgo::Sha256,
361        NIXHASH_SHA256
362    )]
363    #[case::base64_sha512("sha512:q0DQvjVB8HdLungV0T0QsDJS6W6V99u07pmjtDHCFmL9aXGgIBYOOYSKpfMFub4PeHJ7KweJ458STSHpK4857w==", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
364    #[case::base64_md5("md5:xIdKiJdECzk9hi2P1FkHPw==", HashAlgo::Md5, NIXHASH_MD5)]
365    // nixbase32
366    #[case::nixbase32_sha1("sha1:mj1l54np5ii9al6g2cjb02n3jxwpf5k0", HashAlgo::Sha1, NIXHASH_SHA1)]
367    #[case::nixbase32_sha256(
368        "sha256:0fcxdvyzxr09shcbcxkv7l1b356dqxzp3ja68rhrg4yhbqarrkm5",
369        HashAlgo::Sha256,
370        NIXHASH_SHA256
371    )]
372    #[case::nixbase32_sha512("sha512:3pkk3rbx4hls4lzwf4hfavvf9w0zgmr0prsb2l47471c850f5lzsqhnq8qv98wrxssdpxwmdvlm4cmh20yx25bqp95pgw216nzd0h5b", HashAlgo::Sha512, (*NIXHASH_SHA512).clone())]
373    #[case::nixbase32_md5("md5:1z0xcx93rdhqykj2s4jy44m1y4", HashAlgo::Md5, NIXHASH_MD5)]
374    fn from_str(#[case] s: &str, #[case] algo: HashAlgo, #[case] expected: NixHash) {
375        assert_eq!(
376            expected,
377            NixHash::from_str(s, Some(algo)).expect("must parse"),
378            "should parse"
379        );
380
381        // We expect all s to contain an algo in-band, so expect it to parse without an algo too.
382        assert_eq!(
383            expected,
384            NixHash::from_str(s, None).expect("must parse without algo too"),
385            "should parse"
386        );
387
388        // Whenever we encounter a hash with a `$algo:` prefix, we pop that prefix
389        // and test it parses without it if the algo is passed in externally, but fails if not.
390        // We do this for a subset of inputs here in the testcase, rather than adding 12 new testcases (4 algos x 3 encodings)
391        if let Some(digest_str) = s
392            .strip_prefix("sha1:")
393            .or(s.strip_prefix("sha256:"))
394            .or(s.strip_prefix("sha512:"))
395            .or(s.strip_prefix("sha512:"))
396        {
397            assert_eq!(
398                expected,
399                NixHash::from_str(digest_str, Some(algo))
400                    .expect("must parse digest-only if algo specified")
401            );
402            NixHash::from_str(digest_str, None)
403                .expect_err("must fail parsing digest-only if algo not specified");
404        }
405    }
406
407    // Test parsing a hash specifying another algo than what's passed externally fails.
408    #[test]
409    fn test_want_algo() {
410        NixHash::from_str("sha1-YBZ3eZfDCrAkE89QlWIs15JCg6w=", Some(HashAlgo::Md5))
411            .expect_err("parsing with conflicting want_algo should fail");
412
413        NixHash::from_str("sha1:YBZ3eZfDCrAkE89QlWIs15JCg6w=", Some(HashAlgo::Md5))
414            .expect_err("parsing with conflicting want_algo should fail");
415    }
416
417    /// Test parsing an SRI hash via the [nixhash::from_sri_str] method.
418    #[test]
419    fn from_sri_str() {
420        let nix_hash = NixHash::from_sri("sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank/v1unTk=")
421            .expect("must succeed");
422
423        assert_eq!(HashAlgo::Sha256, nix_hash.algo());
424        assert_eq!(
425            &hex!("a5ce9c155ed09397614646c9717fc7cd94b1023d7b76b618d409e4fefd6e9d39"),
426            nix_hash.digest_as_bytes()
427        )
428    }
429
430    /// Test parsing sha512 SRI hash with various paddings, Nix accepts all of them.
431    #[rstest]
432    #[case::no_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ")]
433    #[case::too_little_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ=")]
434    #[case::correct_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ==")]
435    #[case::too_much_padding("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ===")]
436    #[case::additional_suffix_ignored("sha512-7g91TBvYoYQorRTqo+rYD/i5YnWvUBLnqDhPHxBJDaBW7smuPMeRp6E6JOFuVN9bzN0QnH1ToUU0u9c2CjALEQ== cheesecake")]
437    fn from_sri_str_sha512_paddings(#[case] sri_str: &str) {
438        let nix_hash = NixHash::from_sri(sri_str).expect("must succeed");
439
440        assert_eq!(HashAlgo::Sha512, nix_hash.algo());
441        assert_eq!(
442            &hex!("ee0f754c1bd8a18428ad14eaa3ead80ff8b96275af5012e7a8384f1f10490da056eec9ae3cc791a7a13a24e16e54df5bccdd109c7d53a14534bbd7360a300b11"),
443            nix_hash.digest_as_bytes()
444        )
445    }
446
447    /// Ensure we detect truncated base64 digests, where the digest size
448    /// doesn't match what's expected from that hash function.
449    #[test]
450    fn from_sri_str_truncated() {
451        NixHash::from_sri("sha256-pc6cFV7Qk5dhRkbJcX/HzZSxAj17drYY1Ank").expect_err("must fail");
452    }
453
454    /// Ensure we fail on SRI hashes that Nix doesn't support.
455    #[test]
456    fn from_sri_str_unsupported() {
457        NixHash::from_sri(
458            "sha384-o4UVSl89mIB0sFUK+3jQbG+C9Zc9dRlV/Xd3KAvXEbhqxu0J5OAdg6b6VHKHwQ7U",
459        )
460        .expect_err("must fail");
461    }
462
463    /// Ensure we reject invalid base64 encoding
464    #[test]
465    fn from_sri_str_invalid_base64() {
466        NixHash::from_sri("sha256-invalid=base64").expect_err("must fail");
467    }
468
469    /// Nix also accepts SRI strings with missing padding, but only in case the
470    /// string is expressed as SRI, so it still needs to have a `sha256-` prefix.
471    ///
472    /// This both seems to work if it is passed with and without specifying the
473    /// hash algo out-of-band (hash = "sha256-…" or sha256 = "sha256-…")
474    ///
475    /// Passing the same broken base64 string, but not as SRI, while passing
476    /// the hash algo out-of-band does not work.
477    #[test]
478    fn sha256_broken_padding() {
479        let broken_base64 = "fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8";
480        // if padded with a trailing '='
481        let expected_digest =
482            hex!("7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f");
483
484        // passing hash algo out of band should succeed
485        let nix_hash = NixHash::from_str(
486            &format!("sha256-{}", &broken_base64),
487            Some(HashAlgo::Sha256),
488        )
489        .expect("must succeed");
490        assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
491
492        // not passing hash algo out of band should succeed
493        let nix_hash =
494            NixHash::from_str(&format!("sha256-{}", &broken_base64), None).expect("must succeed");
495        assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
496
497        // not passing SRI, but hash algo out of band should fail
498        NixHash::from_str(broken_base64, Some(HashAlgo::Sha256)).expect_err("must fail");
499    }
500
501    /// As we decided to pass our hashes by trimming `=` completely,
502    /// we need to take into account hashes with padding requirements which
503    /// contains trailing bits which would be checked by `BASE64_NOPAD` and would
504    /// make the verification crash.
505    ///
506    /// This base64 has a trailing non-zero bit at bit 42.
507    #[test]
508    fn sha256_weird_base64() {
509        let weird_base64 = "syceJMUEknBDCHK8eGs6rUU3IQn+HnQfURfCrDxYPa9=";
510        let expected_digest =
511            hex!("b3271e24c5049270430872bc786b3aad45372109fe1e741f5117c2ac3c583daf");
512
513        let nix_hash =
514            NixHash::from_str(&format!("sha256-{}", &weird_base64), Some(HashAlgo::Sha256))
515                .expect("must succeed");
516        assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
517
518        // not passing hash algo out of band should succeed
519        let nix_hash =
520            NixHash::from_str(&format!("sha256-{}", &weird_base64), None).expect("must succeed");
521        assert_eq!(&expected_digest, &nix_hash.digest_as_bytes());
522
523        // not passing SRI, but hash algo out of band should fail
524        NixHash::from_str(weird_base64, Some(HashAlgo::Sha256)).expect_err("must fail");
525    }
526
527    #[test]
528    fn serialize_deserialize() {
529        let nixhash_actual = NixHash::Sha256(hex!(
530            "b3271e24c5049270430872bc786b3aad45372109fe1e741f5117c2ac3c583daf"
531        ));
532        let nixhash_str_json = "\"sha256-syceJMUEknBDCHK8eGs6rUU3IQn+HnQfURfCrDxYPa8=\"";
533
534        let serialized = serde_json::to_string(&nixhash_actual).expect("can serialize");
535
536        assert_eq!(nixhash_str_json, &serialized);
537
538        let deserialized: NixHash =
539            serde_json::from_str(nixhash_str_json).expect("must deserialize");
540        assert_eq!(&nixhash_actual, &deserialized);
541    }
542}