Add CLI flags to specify what hash is preferred

gocsaf · Sep 9, 2024 · 3e16f61 · 3e16f61
1 parent be2e4e7
commit 3e16f61
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 28 deletions.
diff --git a/cmd/csaf_downloader/config.go b/cmd/csaf_downloader/config.go
@@ -41,6 +41,13 @@ const (
 	validationUnsafe = validationMode("unsafe")
 )
 
+type hashAlgorithm string
+
+const (
+	SHA256 = hashAlgorithm("SHA256")
+	SHA512 = hashAlgorithm("SHA512")
+)
+
 type config struct {
 	Directory            string            `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"`
 	Insecure             bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
@@ -79,6 +86,9 @@ type config struct {
 
 	clientCerts   []tls.Certificate
 	ignorePattern filter.PatternMatcher
+
+	//lint:ignore SA5008 We are using choice or than once: sha256, sha512
+	PreferredHash hashAlgorithm `long:"preferred_hash" short:"h" choice:"sha256" choice:"sha512" value-name:"HASH" description:"HASH to prefer" toml:"preferred_hash"`
 }
 
 // configPaths are the potential file locations of the config file.
@@ -220,7 +230,7 @@ func (cfg *config) prepareLogging() error {
 		w = f
 	}
 	ho := slog.HandlerOptions{
-		//AddSource: true,
+		// AddSource: true,
 		Level:       cfg.LogLevel.Level,
 		ReplaceAttr: dropSubSeconds,
 	}

diff --git a/cmd/csaf_downloader/downloader.go b/cmd/csaf_downloader/downloader.go
@@ -53,7 +53,6 @@ type downloader struct {
 const failedValidationDir = "failed_validation"
 
 func newDownloader(cfg *config) (*downloader, error) {
-
 	var validator csaf.RemoteValidator
 
 	if cfg.RemoteValidator != "" {
@@ -103,7 +102,6 @@ func logRedirect(req *http.Request, via []*http.Request) error {
 }
 
 func (d *downloader) httpClient() util.Client {
-
 	hClient := http.Client{}
 
 	if d.cfg.verbose() {
@@ -253,7 +251,6 @@ func (d *downloader) downloadFiles(
 	label csaf.TLPLabel,
 	files []csaf.AdvisoryFile,
 ) error {
-
 	var (
 		advisoryCh = make(chan csaf.AdvisoryFile)
 		errorCh    = make(chan error)
@@ -303,7 +300,6 @@ func (d *downloader) loadOpenPGPKeys(
 	base *url.URL,
 	expr *util.PathEval,
 ) error {
-
 	src, err := expr.Eval("$.public_openpgp_keys", doc)
 	if err != nil {
 		// no keys.
@@ -357,7 +353,6 @@ func (d *downloader) loadOpenPGPKeys(
 			defer res.Body.Close()
 			return crypto.NewKeyFromArmoredReader(res.Body)
 		}()
-
 		if err != nil {
 			slog.Warn(
 				"Reading public OpenPGP key failed",
@@ -501,31 +496,35 @@ nextAdvisory:
 			signData                   []byte
 		)
 
-		// Only hash when we have a remote counterpart we can compare it with.
-		if remoteSHA256, s256Data, err = loadHash(client, file.SHA256URL()); err != nil {
-			if !file.IsDirectory() {
-				slog.Warn("Cannot fetch SHA256",
-					"url", file.SHA256URL(),
-					"error", err)
+		if (d.cfg.PreferredHash != "sha512" || file.SHA512URL() == "") && file.SHA256URL() != "" {
+			// Only hash when we have a remote counterpart we can compare it with.
+			if remoteSHA256, s256Data, err = loadHash(client, file.SHA256URL()); err != nil {
+				if !file.IsDirectory() {
+					slog.Warn("Cannot fetch SHA256",
+						"url", file.SHA256URL(),
+						"error", err)
+				} else {
+					slog.Info("SHA256 not present", "file", file.URL())
+				}
 			} else {
-				slog.Info("SHA256 not present", "file", file.URL())
+				s256 = sha256.New()
+				writers = append(writers, s256)
 			}
-		} else {
-			s256 = sha256.New()
-			writers = append(writers, s256)
 		}
 
-		if remoteSHA512, s512Data, err = loadHash(client, file.SHA512URL()); err != nil {
-			if !file.IsDirectory() {
-				slog.Warn("Cannot fetch SHA512",
-					"url", file.SHA512URL(),
-					"error", err)
+		if (d.cfg.PreferredHash != "sha256" || file.SHA256URL() == "") && file.SHA512URL() != "" {
+			if remoteSHA512, s512Data, err = loadHash(client, file.SHA512URL()); err != nil {
+				if !file.IsDirectory() {
+					slog.Warn("Cannot fetch SHA512",
+						"url", file.SHA512URL(),
+						"error", err)
+				} else {
+					slog.Info("SHA512 not present", "file", file.URL())
+				}
 			} else {
-				slog.Info("SHA512 not present", "file", file.URL())
+				s512 = sha512.New()
+				writers = append(writers, s512)
 			}
-		} else {
-			s512 = sha512.New()
-			writers = append(writers, s512)
 		}
 
 		// Remember the data as we need to store it to file later.
@@ -757,9 +756,6 @@ func loadSignature(client util.Client, p string) (*crypto.PGPSignature, []byte,
 }
 
 func loadHash(client util.Client, p string) ([]byte, []byte, error) {
-	if p == "" {
-		return nil, nil, fmt.Errorf("no hash path provided")
-	}
 	resp, err := client.Get(p)
 	if err != nil {
 		return nil, nil, err