From e011c1517b0098ca6477886ab0685f7b7cfb7e78 Mon Sep 17 00:00:00 2001 From: Ashutosh Narkar Date: Tue, 18 Jan 2022 12:57:59 -0800 Subject: [PATCH] bundle: Roundtrip manifest before hashing When OPA verifies the content of the manifest file, it first parses it into a JSON structure and then recursively orders the fields of all objects alphabetically and then applies the hash function. The same process was not followed while generating the hash for the manifest content which would result in a digest mismatch during verification. This can be observed with a manifest that contains metadata. Fixes: #4233 Signed-off-by: Ashutosh Narkar --- bundle/bundle.go | 16 +++++++++++++++- bundle/bundle_test.go | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/bundle/bundle.go b/bundle/bundle.go index 13ec7fe561..d077bda5c0 100644 --- a/bundle/bundle.go +++ b/bundle/bundle.go @@ -750,10 +750,24 @@ func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) { files = append(files, NewFile(strings.TrimPrefix(wasmModule.Path, "/"), hex.EncodeToString(bs), defaultHashingAlg)) } - bs, err = hash.HashFile(b.Manifest) + // Parse the manifest into a JSON structure; + // then recursively order the fields of all objects alphabetically and then apply + // the hash function to result to compute the hash. + mbs, err := json.Marshal(b.Manifest) if err != nil { return files, err } + + var result map[string]interface{} + if err := util.Unmarshal(mbs, &result); err != nil { + return files, err + } + + bs, err = hash.HashFile(result) + if err != nil { + return files, err + } + files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg)) return files, err diff --git a/bundle/bundle_test.go b/bundle/bundle_test.go index 314c981c9b..d2d79a63bf 100644 --- a/bundle/bundle_test.go +++ b/bundle/bundle_test.go @@ -851,7 +851,9 @@ func TestRoundtrip(t *testing.T) { }, }, Manifest: Manifest{ + Roots: &[]string{""}, Revision: "quickbrownfaux", + Metadata: map[string]interface{}{"version": "v1", "hello": "world"}, }, }