remvoe support for sha1 and md5 hashing for public keys

aryan9600 · aryan9600 · commit 94c50fa3a850 · 2022-05-27T14:01:23.000+05:30
Signed-off-by: Sanskar Jaiswal &lt;jaiswalsanskar078@gmail.com&gt;
diff --git a/pkg/git/libgit2/managed/ssh.go b/pkg/git/libgit2/managed/ssh.go
@@ -165,7 +165,7 @@ func (t *sshSmartSubtransport) Action(transportOptionsURL string, action git2go.
 		cert := &git2go.Certificate{
 			Kind: git2go.CertificateHostkey,
 			Hostkey: git2go.HostkeyCertificate{
-				Kind:         git2go.HostkeySHA256,
+				Kind:         git2go.HostkeySHA256 | git2go.HostkeyRaw,
 				HashSHA256:   sha256.Sum256(marshaledKey),
 				Hostkey:      marshaledKey,
 				SSHPublicKey: key,
diff --git a/pkg/git/libgit2/managed/transport.go b/pkg/git/libgit2/managed/transport.go
@@ -1,8 +1,6 @@
 package managed
 
 import (
-	"crypto/md5"
-	"crypto/sha1"
 	"crypto/sha256"
 	"fmt"
 	"hash"
@@ -49,16 +47,8 @@ func KnownHostsCallback(host string, knownHosts []byte) git2go.CertificateCheckC
 		case cert.Hostkey.Kind&git2go.HostkeySHA256 > 0:
 			fingerprint = cert.Hostkey.HashSHA256[:]
 			hasher = sha256.New()
-		// SHA1 and MD5 are present here, because they're used for unmanaged transport.
-		// TODO: get rid of this, when unmanaged transport is completely removed.
-		case cert.Hostkey.Kind&git2go.HostkeySHA1 > 0:
-			fingerprint = cert.Hostkey.HashSHA1[:]
-			hasher = sha1.New()
-		case cert.Hostkey.Kind&git2go.HostkeyMD5 > 0:
-			fingerprint = cert.Hostkey.HashMD5[:]
-			hasher = md5.New()
 		default:
-			return fmt.Errorf("invalid host key kind, expected to be one of SHA256, SHA1, MD5")
+			return fmt.Errorf("invalid host key kind, expected to be of kind SHA256")
 		}
 
 		// We are now certain that the configured host and the hostname
diff --git a/pkg/git/libgit2/managed/transport_test.go b/pkg/git/libgit2/managed/transport_test.go
@@ -29,31 +29,31 @@ func TestKnownHostsCallback(t *testing.T) {
 			name:         "Match",
 			host:         "github.com",
 			knownHosts:   []byte(knownHostsFixture),
-			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")},
+			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
 			expectedHost: "github.com",
 			want:         nil,
 		},
 		{
 			name:         "Match with port",
 			host:         "github.com",
 			knownHosts:   []byte(knownHostsFixture),
-			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")},
+			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
 			expectedHost: "github.com:22",
 			want:         nil,
 		},
 		{
 			name:         "Hostname mismatch",
 			host:         "github.com",
 			knownHosts:   []byte(knownHostsFixture),
-			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")},
+			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
 			expectedHost: "example.com",
 			want:         fmt.Errorf("host mismatch: %q %q", "example.com", "github.com"),
 		},
 		{
 			name:         "Hostkey mismatch",
 			host:         "github.com",
 			knownHosts:   []byte(knownHostsFixture),
-			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeyMD5, HashMD5: md5Fingerprint("\xb6\x03\x0e\x39\x97\x9e\xd0\xe7\x24\xce\xa3\x77\x3e\x01\x42\x09")},
+			hostkey:      git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ")},
 			expectedHost: "github.com",
 			want:         fmt.Errorf("hostkey could not be verified"),
 		},
@@ -73,21 +73,6 @@ func TestKnownHostsCallback(t *testing.T) {
 		})
 	}
 }
-func md5Fingerprint(in string) [16]byte {
-	var out [16]byte
-	copy(out[:], in)
-	return out
-}
-
-func sha1Fingerprint(in string) [20]byte {
-	d, err := base64.RawStdEncoding.DecodeString(in)
-	if err != nil {
-		panic(err)
-	}
-	var out [20]byte
-	copy(out[:], d)
-	return out
-}
 
 func sha256Fingerprint(in string) [32]byte {
 	d, err := base64.RawStdEncoding.DecodeString(in)
