Merge pull request #1454 from sechkova/hashes-handle-sslib-errors

Jussi Kukkonen · web-flow · commit 7108ea2e0e3e · 2021-06-23T10:19:14.000+03:00
BaseFile._verify_hashes: handle sslib errors
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -541,6 +541,15 @@ def  test_length_and_hash_validation(self):
             self.assertRaises(exceptions.LengthOrHashMismatchError,
                 snapshot_metafile.verify_length_and_hashes, data)
 
+            snapshot_metafile.hashes = {'unsupported-alg': "8f88e2ba48b412c3843e9bb26e1b6f8fc9e98aceb0fbaa97ba37b4c98717d7ab"}
+            self.assertRaises(exceptions.LengthOrHashMismatchError,
+            snapshot_metafile.verify_length_and_hashes, data)
+
+            # Test wrong algorithm format (sslib.FormatError)
+            snapshot_metafile.hashes = { 256: "8f88e2ba48b412c3843e9bb26e1b6f8fc9e98aceb0fbaa97ba37b4c98717d7ab"}
+            self.assertRaises(exceptions.LengthOrHashMismatchError,
+            snapshot_metafile.verify_length_and_hashes, data)
+
             # test optional length and hashes
             snapshot_metafile.length = None
             snapshot_metafile.hashes = None
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -679,12 +679,20 @@ def _verify_hashes(
         """Verifies that the hash of 'data' matches 'expected_hashes'"""
         is_bytes = isinstance(data, bytes)
         for algo, exp_hash in expected_hashes.items():
-            if is_bytes:
-                digest_object = sslib_hash.digest(algo)
-                digest_object.update(data)
-            else:
-                # if data is not bytes, assume it is a file object
-                digest_object = sslib_hash.digest_fileobject(data, algo)
+            try:
+                if is_bytes:
+                    digest_object = sslib_hash.digest(algo)
+                    digest_object.update(data)
+                else:
+                    # if data is not bytes, assume it is a file object
+                    digest_object = sslib_hash.digest_fileobject(data, algo)
+            except (
+                sslib_exceptions.UnsupportedAlgorithmError,
+                sslib_exceptions.FormatError,
+            ) as e:
+                raise exceptions.LengthOrHashMismatchError(
+                    f"Unsupported algorithm '{algo}'"
+                ) from e
 
             observed_hash = digest_object.hexdigest()
             if observed_hash != exp_hash:
@@ -797,7 +805,7 @@ def verify_length_and_hashes(self, data: Union[bytes, BinaryIO]):
             data: File object or its content in bytes.
         Raises:
             LengthOrHashMismatchError: Calculated length or hashes do not
-                match expected values.
+                match expected values or hash algorithm is not supported.
         """
         if self.length is not None:
             self._verify_length(data, self.length)
@@ -1094,7 +1102,7 @@ def verify_length_and_hashes(self, data: Union[bytes, BinaryIO]):
             data: File object or its content in bytes.
         Raises:
             LengthOrHashMismatchError: Calculated length or hashes do not
-                match expected values.
+                match expected values or hash algorithm is not supported.
         """
         self._verify_length(data, self.length)
         self._verify_hashes(data, self.hashes)
