Update repository_lib and client/updater to use the canonical json representation when hashing snapshot information.

By using the canonical json representation, this commit ensures that the
hash will be consistent across different python versions. this commit
additionally updates the test data to use the correct hashes.

Signed-off-by: marinamoore <[email protected]>

Author: mnm678

tests/repository_data/repository/metadata/role1-snapshot.json

@@ -1,11 +1,14 @@
 {
  "leaf_contents": {
+  "name": "role1",
   "version": 1
  },
  "merkle_path": {
-  "0": "d0657b1fe8cd74976421241692e36b86ebd8f923a3f71ec99dbcacac319a11eb"
+  "0": "3bd2912d01accd816767dcde96a2b470dc5bb51cefe3b3aeb3aca7fdc1704d6b",
+  "1": "70304860310d2c6f0a05f2ccbfb49a4a6d6d3c7a9ff9c93e0b91b2e0ab7fff97"
  },
  "path_directions": {
-  "0": 1
+  "0": -1,
+  "1": -1
  }
 }

tests/repository_data/repository/metadata/role2-snapshot.json

@@ -1,10 +1,11 @@
 {
  "leaf_contents": {
+  "name": "role2",
   "version": 1
  },
  "merkle_path": {
-  "0": "abcfdd2bed858c5d7e8866a21bbdee0ca94cc03fd61f9a8c7ccbe4e50a78044a",
-  "1": "d5d4546f9bfcce78a079fff48828b922091b5be9e874d5d2ce075e314dd19e13"
+  "0": "9a8cf4b3e3cf611d339867f295792c3105d3d8ebfcd559607f9528ba7511e52a",
+  "1": "70304860310d2c6f0a05f2ccbfb49a4a6d6d3c7a9ff9c93e0b91b2e0ab7fff97"
  },
  "path_directions": {
   "0": 1,

tests/repository_data/repository/metadata/targets-snapshot.json

@@ -1,13 +1,12 @@
 {
  "leaf_contents": {
+  "name": "targets",
   "version": 1
  },
  "merkle_path": {
-  "0": "4d9f52a07628625e664bfd96868b69d5b4e81debf3f00ed3940e00cd8dc3da70",
-  "1": "d5d4546f9bfcce78a079fff48828b922091b5be9e874d5d2ce075e314dd19e13"
+  "0": "30e11c75a8fa88fd36cc2a4796c5c9f405c9ae52b7adf4180d1c351141e5037a"
  },
  "path_directions": {
-  "0": -1,
-  "1": -1
+  "0": 1
  }
 }

tests/repository_data/repository/metadata/timestamp-merkle.json

@@ -2,13 +2,13 @@
  "signatures": [
   {
    "keyid": "8a1c4a3ac2d515dec982ba9910c5fd79b91ae57f625b9cff25d06bf0a61c1758",
-   "sig": "c900d68461b8defb7d5d081376576c54f6e619ef8fde33d07b88e2763f123fbb10844168b7dfc638e0b137a8289bf56253a528e4b771ea5277182950f1517c0c"
+   "sig": "1790a53390ab9928ba5c46e7a30a4e0348976e26f34d8cdd29ee11d644276dfc72e3fff6d1a7a913a42a1443cda12a738a3e4803818e970446a91e0e99f24601"
   }
  ],
  "signed": {
   "_type": "timestamp",
   "expires": "2030-01-01T00:00:00Z",
-  "merkle_root": "2b232a308f285d2ef594fa4410d3982f3982e33c28cd73fe1f23a0014be7da77",
+  "merkle_root": "76eb3066cb278633fda18fa6e3ae33d783ff154e813e2752eb7bc8b65568a41b",
   "meta": {
    "snapshot.json": {
     "hashes": {

tests/test_updater.py

@@ -1783,7 +1783,9 @@ def test_snapshot_merkle(self):
 
     # Test verify merkle path
     snapshot_info = repository_updater._verify_merkle_path('targets')
+    self.assertEqual(snapshot_info['version'], 1)
 
+    snapshot_info = repository_updater._verify_merkle_path('role1')
     self.assertEqual(snapshot_info['version'], 1)
 
     # verify merkle path with invalid role

tuf/client/updater.py

@@ -1901,8 +1901,9 @@ def _verify_merkle_path(self, metadata_role):
 
       # hash the contents to determine the leaf hash in the merkle tree
       contents = snapshot_merkle['leaf_contents']
+      json_contents = securesystemslib.formats.encode_canonical(contents)
       digest_object = securesystemslib.hash.digest()
-      digest_object.update((metadata_role + str(contents) + '0').encode('utf-8'))
+      digest_object.update((json_contents).encode('utf-8'))
       node_hash = digest_object.hexdigest()
 
       # For each hash in the merkle_path, determine if the current node is

tuf/repository_lib.py

@@ -1594,7 +1594,7 @@ def __init__(self, left, right):
 
     left.set_parent(self)
     right.set_parent(self)
-    digest_object = securesystemslib.hash.digest()
+    digest_object = securesystemslib.hash.digest(algorithm=HASH_FUNCTION)
 
     digest_object.update((left.hash() + right.hash()).encode('utf-8'))
 
@@ -1627,16 +1627,19 @@ class Leaf(Node):
 
   def __init__(self, name, contents, digest = None):
     super(Leaf, self).__init__()
+    # Include the name to ensure the hash differs between elements and cannot be replayed
+    contents["name"] = name
     self._contents = contents
     self._name = name
 
     if digest:
       self._hash = digest
     else:
-      digest_object = securesystemslib.hash.digest()
-      # Append a 0 for reverse preimage protection
-      # Include the name to ensure the hash differs between elements
-      digest_object.update((name + str(contents) + '0').encode('utf-8'))
+      digest_object = securesystemslib.hash.digest(algorithm=HASH_FUNCTION)
+      # Hash the canonical json form of the data to ensure consistency
+      json_contents = securesystemslib.formats.encode_canonical(contents)
+
+      digest_object.update(json_contents.encode('utf-8'))
       self._hash = digest_object.hexdigest()
 
   def name(self):