WIP add protection against snapshot preimage attack

mnm678 · mnm678 · commit 2045e6aebc8d · 2021-04-02T13:52:09.000-07:00
TODO fix client

Signed-off-by: Marina Moore &lt;mnm678@gmail.com&gt;
diff --git a/tuf/client/updater.py b/tuf/client/updater.py
@@ -1915,7 +1915,7 @@ def verify_merkle_path(self, metadata_role, version=None, merkle_root=None):
     json_contents = securesystemslib.formats.encode_canonical(contents)
     digest_object = securesystemslib.hash.digest()
     digest_object.update((json_contents).encode('utf-8'))
-    node_hash = digest_object.hexdigest()
+    node_hash = "a" + digest_object.hexdigest()
 
     # For each hash in the merkle_path, determine if the current node is
     # a left of a right node using the path_directions, then combine
@@ -1941,7 +1941,7 @@ def verify_merkle_path(self, metadata_role, version=None, merkle_root=None):
         # The current node is a right node
         digest_object = securesystemslib.hash.digest()
         digest_object.update((merkle_path[i] + node_hash).encode('utf-8'))
-      node_hash = digest_object.hexdigest()
+      node_hash = "b" + digest_object.hexdigest()
 
     # Does the result match the merkle root?
     if node_hash != merkle_root:
diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py
@@ -1604,7 +1604,7 @@ def __init__(self, left, right):
 
     digest_object.update((left.digest + right.digest).encode('utf-8'))
 
-    self.digest = digest_object.hexdigest()
+    self.digest = "a" + digest_object.hexdigest()
 
 
 
@@ -1638,7 +1638,7 @@ def __init__(self, name, contents, digest=None):
       json_contents = securesystemslib.formats.encode_canonical(contents)
 
       digest_object.update(json_contents.encode('utf-8'))
-      self.digest = digest_object.hexdigest()
+      self.digest = "b" + digest_object.hexdigest()
 
   def is_leaf(self):
     return True
