Use go-digest to validate digests (#1395)

* Use go-digest to validate digests

* fix presubmit

* remove debugging, Jon is such a stickler

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/docker/docker v20.10.16+incompatible
 	github.com/google/go-cmp v0.5.8
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
 	github.com/spf13/cobra v1.4.0
 	golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401
@@ -30,7 +31,6 @@ require (
 	github.com/klauspost/compress v1.15.4 // indirect
 	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect

pkg/authn/kubernetes/go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	golang.org/x/net v0.0.0-20220524220425-1d687d428aca // indirect

pkg/name/digest.go

@@ -15,16 +15,14 @@
 package name
 
 import (
+	_ "crypto/sha256" // Recommended by go-digest.
 	"strings"
-)
 
-const (
-	// These have the form: sha256:<hex string>
-	// TODO(dekkagaijin): replace with opencontainers/go-digest or docker/distribution's validation.
-	digestChars = "sh:0123456789abcdef"
-	digestDelim = "@"
+	"github.com/opencontainers/go-digest"
 )
 
+const digestDelim = "@"
+
 // Digest stores a digest name in a structured form.
 type Digest struct {
 	Repository
@@ -60,10 +58,6 @@ func (d Digest) String() string {
 	return d.original
 }
 
-func checkDigest(name string) error {
-	return checkElement("digest", name, digestChars, 7+64, 7+64)
-}
-
 // NewDigest returns a new Digest representing the given name.
 func NewDigest(name string, opts ...Option) (Digest, error) {
 	// Split on "@"
@@ -72,10 +66,13 @@ func NewDigest(name string, opts ...Option) (Digest, error) {
 		return Digest{}, newErrBadName("a digest must contain exactly one '@' separator (e.g. registry/repository@digest) saw: %s", name)
 	}
 	base := parts[0]
-	digest := parts[1]
-
-	// Always check that the digest is valid.
-	if err := checkDigest(digest); err != nil {
+	dig := parts[1]
+	prefix := digest.Canonical.String() + ":"
+	if !strings.HasPrefix(dig, prefix) {
+		return Digest{}, newErrBadName("unsupported digest algorithm: %s", dig)
+	}
+	hex := strings.TrimPrefix(dig, prefix)
+	if err := digest.Canonical.Validate(hex); err != nil {
 		return Digest{}, err
 	}
 
@@ -90,7 +87,7 @@ func NewDigest(name string, opts ...Option) (Digest, error) {
 	}
 	return Digest{
 		Repository: repo,
-		digest:     digest,
+		digest:     dig,
 		original:   name,
 	}, nil
 }

pkg/name/digest_test.go

@@ -49,6 +49,10 @@ var badDigestNames = []string{
 	"gcr.io/project-id/unknown-alg@unknown:abc123",
 	"gcr.io/project-id/wrong-length@sha256:d34db33fd34db33f",
 	"gcr.io/project-id/missing-digest@",
+	// https://github.com/google/go-containerregistry/issues/1394
+	"repo@sha256:" + strings.Repeat(":", 64),
+	"repo@sha256:" + strings.Repeat("sh", 32),
+	"repo@sha256:" + validDigest + "@" + validDigest,
 }
 
 func TestNewDigestStrictValidation(t *testing.T) {