fix: add support for multiple checksum algorithms

Author: ppkarwasz

pom.xml

@@ -199,6 +199,11 @@
       <artifactId>commons-compress</artifactId>
       <version>1.28.0</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.20.0</version>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugins</groupId>
       <artifactId>maven-gpg-plugin</artifactId>

src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java

@@ -17,10 +17,12 @@
 package org.apache.commons.release.plugin.internal;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
 import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
@@ -30,6 +32,35 @@
  */
 public final class ArtifactUtils {
 
+    /**
+     * Maps standard JDK {@link java.security.MessageDigest} algorithm names to the in-toto digest names used in SLSA {@link ResourceDescriptor} digest sets.
+     *
+     * <p>JDK algorithms that have no in-toto equivalent (such as {@code MD2}) are omitted.</p>
+     *
+     * @see <a href="https://docs.oracle.com/en/java/javase/25/docs/specs/security/standard-names.html#messagedigest-algorithms">
+     *      JDK standard {@code MessageDigest} algorithm names</a>
+     * @see <a href="https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md">
+     *      in-toto digest set specification</a>
+     */
+    private static final Map<String, String> IN_TOTO_DIGEST_NAMES;
+
+    static {
+        final Map<String, String> m = new HashMap<>();
+        m.put("MD5", "md5");
+        m.put("SHA-1", "sha1");
+        m.put("SHA-224", "sha224");
+        m.put("SHA-256", "sha256");
+        m.put("SHA-384", "sha384");
+        m.put("SHA-512", "sha512");
+        m.put("SHA-512/224", "sha512_224");
+        m.put("SHA-512/256", "sha512_256");
+        m.put("SHA3-224", "sha3_224");
+        m.put("SHA3-256", "sha3_256");
+        m.put("SHA3-384", "sha3_384");
+        m.put("SHA3-512", "sha3_512");
+        IN_TOTO_DIGEST_NAMES = Collections.unmodifiableMap(m);
+    }
+
     /** No instances. */
     private ArtifactUtils() {
         // prevent instantiation
@@ -84,31 +115,40 @@ public static String getPackageUrl(Artifact artifact) {
      * Gets a map of checksum algorithm names to hex-encoded digest values for the given artifact file.
      *
      * @param artifact A Maven artifact.
+     * @param algorithms JSSE names of algorithms to use
      * @return A map of checksum algorithm names to hex-encoded digest values.
      * @throws IOException If an I/O error occurs reading the artifact file.
+     * @throws IllegalArgumentException If any of the algorithms is not supported.
      */
-    private static Map<String, String> getChecksums(Artifact artifact) throws IOException {
+    private static Map<String, String> getChecksums(Artifact artifact, String... algorithms) throws IOException {
         Map<String, String> checksums = new HashMap<>();
-        DigestUtils digest = new DigestUtils(DigestUtils.getSha256Digest());
-        String sha256sum = digest.digestAsHex(artifact.getFile());
-        checksums.put("sha256", sha256sum);
+        for (String algorithm : algorithms) {
+            String key = IN_TOTO_DIGEST_NAMES.get(algorithm);
+            if (key == null) {
+                throw new IllegalArgumentException("Invalid algorithm name for in-toto attestation: " + algorithm);
+            }
+            DigestUtils digest = new DigestUtils(DigestUtils.getDigest(algorithm));
+            String checksum = digest.digestAsHex(artifact.getFile());
+            checksums.put(key, checksum);
+        }
         return checksums;
     }
 
     /**
      * Converts a Maven artifact to a SLSA {@link ResourceDescriptor}.
      *
      * @param artifact A Maven artifact.
+     * @param algorithms A comma-separated list of checksum algorithms to use.
      * @return A SLSA resource descriptor.
      * @throws MojoExecutionException If an I/O error occurs retrieving the artifact.
      */
-    public static ResourceDescriptor toResourceDescriptor(Artifact artifact) throws MojoExecutionException {
+    public static ResourceDescriptor toResourceDescriptor(Artifact artifact, String algorithms) throws MojoExecutionException {
         ResourceDescriptor descriptor = new ResourceDescriptor();
         descriptor.setName(getFileName(artifact));
         descriptor.setUri(getPackageUrl(artifact));
         if (artifact.getFile() != null) {
             try {
-                descriptor.setDigest(getChecksums(artifact));
+                descriptor.setDigest(getChecksums(artifact, StringUtils.split(algorithms, ",")));
             } catch (IOException e) {
                 throw new MojoExecutionException("Unable to compute hash for artifact file: " + artifact.getFile(), e);
             }

src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java

@@ -128,6 +128,12 @@ public class BuildAttestationMojo extends AbstractMojo {
     @Parameter(property = "commons.release.signAttestation", defaultValue = "true")
     private boolean signAttestation;
 
+    /**
+     * Checksum algorithms used in the generated attestation.
+     */
+    @Parameter(property = "commons.release.checksums.algorithms", defaultValue = "SHA-512,SHA-256,SHA-1,MD5")
+    private String algorithmNames;
+
     /**
      * Path to the GPG executable; if not set, {@code gpg} is resolved from {@code PATH}.
      */
@@ -278,6 +284,15 @@ void setSigner(final AbstractGpgSigner signer) {
         this.signer = signer;
     }
 
+    /**
+     * Sets the list of checksum algorithms to use.
+     *
+     * @param algorithmNames A comma-separated list of {@link java.security.MessageDigest} algorithm names to use.
+     */
+    void setAlgorithmNames(String algorithmNames) {
+        this.algorithmNames = algorithmNames;
+    }
+
     /**
      * Gets the GPG signer, creating and preparing it from plugin parameters if not already set.
      *
@@ -413,9 +428,9 @@ private void writeAndAttach(final Object value, final Path artifactPath) throws
      */
     private List<ResourceDescriptor> getSubjects() throws MojoExecutionException {
         List<ResourceDescriptor> subjects = new ArrayList<>();
-        subjects.add(ArtifactUtils.toResourceDescriptor(project.getArtifact()));
+        subjects.add(ArtifactUtils.toResourceDescriptor(project.getArtifact(), algorithmNames));
         for (Artifact artifact : project.getAttachedArtifacts()) {
-            subjects.add(ArtifactUtils.toResourceDescriptor(artifact));
+            subjects.add(ArtifactUtils.toResourceDescriptor(artifact, algorithmNames));
         }
         return subjects;
     }
@@ -449,7 +464,7 @@ private List<ResourceDescriptor> getBuildDependencies() throws MojoExecutionExce
     private List<ResourceDescriptor> getProjectDependencies() throws MojoExecutionException {
         List<ResourceDescriptor> dependencies = new ArrayList<>();
         for (Artifact artifact : project.getArtifacts()) {
-            dependencies.add(ArtifactUtils.toResourceDescriptor(artifact));
+            dependencies.add(ArtifactUtils.toResourceDescriptor(artifact, algorithmNames));
         }
         return dependencies;
     }

src/test/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojoTest.java

@@ -112,6 +112,16 @@ private static BuildAttestationMojo createBuildAttestationMojo(MavenProject proj
                 createMavenSession(createMavenExecutionRequest(), new DefaultMavenExecutionResult()), projectHelper);
     }
 
+    private static void configureBuildAttestationMojo(BuildAttestationMojo mojo, boolean signAttestation) {
+        mojo.setOutputDirectory(new File("target/attestations"));
+        mojo.setScmDirectory(new File("."));
+        mojo.setScmConnectionUrl("scm:git:https://github.com/apache/commons-text.git");
+        mojo.setMavenHome(new File(System.getProperty("maven.home", ".")));
+        mojo.setAlgorithmNames("SHA-512,SHA-256,SHA-1,MD5");
+        mojo.setSignAttestation(signAttestation);
+        mojo.setSigner(createMockSigner());
+    }
+
     private static MavenProject createMavenProject(MavenProjectHelper projectHelper, MavenRepositorySystem repoSystem) throws Exception {
         File pomFile = new File(ARTIFACTS_DIR + "commons-text-1.4.pom");
         Model model;
@@ -209,10 +219,7 @@ void attestationTest() throws Exception {
         MavenProject project = createMavenProject(projectHelper, repoSystem);
 
         BuildAttestationMojo mojo = createBuildAttestationMojo(project, projectHelper);
-        mojo.setOutputDirectory(new File("target/attestations"));
-        mojo.setScmDirectory(new File("."));
-        mojo.setScmConnectionUrl("scm:git:https://github.com/apache/commons-text.git");
-        mojo.setMavenHome(new File(System.getProperty("maven.home", ".")));
+        configureBuildAttestationMojo(mojo, false);
         mojo.execute();
 
         JsonNode statement = OBJECT_MAPPER.readTree(getAttestation(project).getFile());
@@ -226,12 +233,7 @@ void signingTest() throws Exception {
         MavenProject project = createMavenProject(projectHelper, repoSystem);
 
         BuildAttestationMojo mojo = createBuildAttestationMojo(project, projectHelper);
-        mojo.setOutputDirectory(new File("target/attestations"));
-        mojo.setScmDirectory(new File("."));
-        mojo.setScmConnectionUrl("scm:git:https://github.com/apache/commons-text.git");
-        mojo.setMavenHome(new File(System.getProperty("maven.home", ".")));
-        mojo.setSignAttestation(true);
-        mojo.setSigner(createMockSigner());
+        configureBuildAttestationMojo(mojo, true);
         mojo.execute();
 
         String envelopeJson = new String(Files.readAllBytes(getAttestation(project).getFile().toPath()), StandardCharsets.UTF_8);

src/test/resources/attestations/commons-text-1.4.intoto.json

@@ -4,70 +4,100 @@
       "name": "commons-text-1.4.jar",
       "uri": "pkg:maven/commons-text/commons-text@1.4?type=jar",
       "digest": {
-        "sha256": "ad2d2eacf15ab740c115294afc1192603d8342004a6d7d0ad35446f7dda8a134"
+        "md5": "9cbe22bb0ce86c70779213dfb7f3eb5a",
+        "sha1": "c81f089b3542485d4d09b02aae822906e5d2f209",
+        "sha256": "ad2d2eacf15ab740c115294afc1192603d8342004a6d7d0ad35446f7dda8a134",
+        "sha512": "126302c5f6865733774eb41fecc10ba8d0bb5ba11d14b9562047429abeb13bf8cdcdbfdf5e7d7708e2a40f67f4265cbbce609164f57abcd676067a840aa48e6a"
       }
     },
     {
       "name": "commons-text-1.4.pom",
       "uri": "pkg:maven/commons-text/commons-text@1.4?type=pom",
       "digest": {
-        "sha256": "4d6277b1e0720bb054c640620679a9da120f753029342150e714095f48934d76"
+        "md5": "00045f652e3dc8970442ce819806db34",
+        "sha1": "26fa30e496321e74c77ad66781ba53448e6e3a68",
+        "sha256": "4d6277b1e0720bb054c640620679a9da120f753029342150e714095f48934d76",
+        "sha512": "db8934f3062ea9c965ea27cfe4517a25513fb7cebe35ed02bedc1d8287b01c7ba64c93a8a261325fe12ab6957cbd80dbc8c06ec34c9a23c5a5c89ef6bace88fe"
       }
     },
     {
       "name": "commons-text-1.4-sources.jar",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=sources&type=jar",
       "digest": {
-        "sha256": "58a95591fe7fc94db94a0a9e64b4a5bcc1c49edf17f2b24d7c0747357d855761"
+        "md5": "21af10902cea10cf54bc9acf956863d4",
+        "sha1": "cadbe9d3980a21e6eaec3aad629bbcdb7714aa3f",
+        "sha256": "58a95591fe7fc94db94a0a9e64b4a5bcc1c49edf17f2b24d7c0747357d855761",
+        "sha512": "c91ed209fa97c5e69e21d3a29d1f2ea90f2f77451762b3c387a8cb94dea167b4d3f04ea1a8635232476d804f40935698b4f8884fd43520bcc79b3a0f9a757716"
       }
     },
     {
       "name": "commons-text-1.4-javadoc.jar",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=javadoc&type=jar",
       "digest": {
-        "sha256": "42f5b341d0fbeaa30b06aed90612840bc513fb39792c3d39446510670216e8b1"
+        "md5": "2ad93e1d99c0b80cbf6872d1762d7297",
+        "sha1": "9f06cdf753e1bb512e7640ec5fcce83f5a19ba2c",
+        "sha256": "42f5b341d0fbeaa30b06aed90612840bc513fb39792c3d39446510670216e8b1",
+        "sha512": "052ab4e9facfc64f265a567607d40d37620b616908ce71405cae9cd30ad6ac9f2558663029933f90df67c1e748ac81451a32e28975dc773c2c7476c489146c30"
       }
     },
     {
       "name": "commons-text-1.4-tests.jar",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=tests&type=jar",
       "digest": {
-        "sha256": "e4e365d08d601a4bda44be2a31f748b96762504d301742d4a0f7f5953d4c793a"
+        "md5": "9820547734aff2c17c4a696bbd7d8d5e",
+        "sha1": "dbfb945a12375e9fe06558840b43f35374c391ff",
+        "sha256": "e4e365d08d601a4bda44be2a31f748b96762504d301742d4a0f7f5953d4c793a",
+        "sha512": "a8e373cf10a9dc2d3c1cfdd43b23910c9ca9d83dea4e566772dd1ebe5e28419777e0d83b002e8cf950f7bde3218b714e0cc3718464ee34ecda77f603e260ab20"
       }
     },
     {
       "name": "commons-text-1.4-test-sources.jar",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=test-sources&type=jar",
       "digest": {
-        "sha256": "9200a2a41b35f2d6d30c1c698308591cf577547ec39514657dff0e2f7dff18ca"
+        "md5": "340231a697e2862c8d820de419a91d3e",
+        "sha1": "5e107fc877c67992948620a8a2d9bb94cab21aa0",
+        "sha256": "9200a2a41b35f2d6d30c1c698308591cf577547ec39514657dff0e2f7dff18ca",
+        "sha512": "02b405eb9aff57959a3e066030745be47b76c71af71f86e06fd5004602a399cdf86b1149554e92e9922d9da2fd2239dcf6e8c783462167320838dd7662405b30"
       }
     },
     {
       "name": "commons-text-1.4-bin.tar.gz",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=bin&type=tar.gz",
       "digest": {
-        "sha256": "8b9393f7ddc2efb69d8c2b6f4d85d8711dddfe77009799cf21619fc9b8411897"
+        "md5": "9fe25162590be6fa684a9d9cdc0b505d",
+        "sha1": "6f46fd82d5ccf9644a37bcec6f2158a52ebdbab8",
+        "sha256": "8b9393f7ddc2efb69d8c2b6f4d85d8711dddfe77009799cf21619fc9b8411897",
+        "sha512": "c76f4e5814c0533030fecf0ef7639ce68df54b76ebc1320d9c4e3b8dff0a90c95ce0a425b8df6a0d742f6e9fca8dce6f08632d576c6a99357fdd54b9435fed6c"
       }
     },
     {
       "name": "commons-text-1.4-bin.zip",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=bin&type=zip",
       "digest": {
-        "sha256": "ad3732dcb38e510b1dbb1544115d0eb797fab61afe0008fdb187cd4ef1706cd7"
+        "md5": "e29e5290b7420ba1908c418fc5bc7f8a",
+        "sha1": "447a051d6c8292c7e4d7641ca6586b335ef13bd6",
+        "sha256": "ad3732dcb38e510b1dbb1544115d0eb797fab61afe0008fdb187cd4ef1706cd7",
+        "sha512": "040634b27146e2008bf953f1bb63f8ccbb63cdaaaf24beb17acc6782d31452214e755539c2df737e46e7ede5d4e376cb3de5bbf72ceba5409b43f25612c2bf40"
       }
     },
     {
       "name": "commons-text-1.4-src.tar.gz",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=src&type=tar.gz",
       "digest": {
-        "sha256": "1cb8536c375c3cff66757fd40c2bf878998254ba0a247866a6536bd48ba2e88a"
+        "md5": "be130c23d3b6630824e2a08530bd4581",
+        "sha1": "0dcee421c4e03d6bc098a61a5cdcc90656856611",
+        "sha256": "1cb8536c375c3cff66757fd40c2bf878998254ba0a247866a6536bd48ba2e88a",
+        "sha512": "8279eb7f45009f11658c256b07cfb06c5a45ef89949e78a67e5d64520d957707f90a9614c95e8aac350a07a54f9160f0802dbd1efc0769a5b1391e52ee4cd51b"
       }
     },
     {
       "name": "commons-text-1.4-src.zip",
       "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=src&type=zip",
       "digest": {
-        "sha256": "e4a6c992153faae4f7faff689b899073000364e376736b9746a5d0acb9d8b980"
+        "md5": "fd65603e930f2b0805c809aa2deb1498",
+        "sha1": "ca1cc6fbb4e46b44f8bb09b70c9e3a2ae3c5fce8",
+        "sha256": "e4a6c992153faae4f7faff689b899073000364e376736b9746a5d0acb9d8b980",
+        "sha512": "79ca61ff7b287407428bbb6ae13c6d372dcd0665114c55cd5bc57978a6fa760305e32feabef62cfeb0c4181220a59406239f6cccaa9a25c68773eef0250cb3a9"
       }
     }
   ],