Partial validate of Docker-Content-Digest when downloading or getting blob (#299)

Author: jonesbusy

src/main/java/land/oras/LayoutRef.java

@@ -130,7 +130,7 @@ public SupportedAlgorithm getAlgorithm() {
             return SupportedAlgorithm.getDefault();
         }
         // See https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests
-        else if (SupportedAlgorithm.matchPattern(tag)) {
+        else if (SupportedAlgorithm.isSupported(tag)) {
             return SupportedAlgorithm.fromDigest(tag);
         }
 
@@ -145,7 +145,7 @@ public boolean isValidDigest() {
         if (tag == null) {
             return false;
         }
-        return SupportedAlgorithm.matchPattern(tag);
+        return SupportedAlgorithm.isSupported(tag);
     }
 
     @Override

src/main/java/land/oras/OCILayout.java

@@ -432,7 +432,7 @@ private Path getBlobPath(LayoutRef ref) {
         if (ref.getTag() == null) {
             throw new OrasException("Tag is required to get blob from layout");
         }
-        boolean isDigest = SupportedAlgorithm.matchPattern(ref.getTag());
+        boolean isDigest = SupportedAlgorithm.isSupported(ref.getTag());
         if (isDigest) {
             SupportedAlgorithm algorithm = SupportedAlgorithm.fromDigest(ref.getTag());
             return getBlobPath().resolve(algorithm.getPrefix()).resolve(SupportedAlgorithm.getDigest(ref.getTag()));
@@ -552,7 +552,7 @@ private void ensureDigest(LayoutRef ref, Path path) {
         if (ref.getTag() == null) {
             throw new OrasException("Missing ref");
         }
-        if (!SupportedAlgorithm.matchPattern(ref.getTag())) {
+        if (!SupportedAlgorithm.isSupported(ref.getTag())) {
             throw new OrasException("Unsupported digest: %s".formatted(ref.getTag()));
         }
         SupportedAlgorithm algorithm = SupportedAlgorithm.fromDigest(ref.getTag());

src/main/java/land/oras/Registry.java

@@ -484,11 +484,21 @@ private HttpClient.ResponseWrapper<String> headBlob(ContainerRef containerRef) {
      */
     @Override
     public byte[] getBlob(ContainerRef containerRef) {
-        try (InputStream is = fetchBlob(containerRef)) {
-            return ensureDigest(containerRef, is.readAllBytes());
-        } catch (IOException e) {
-            throw new OrasException("Failed to get blob", e);
+        if (!hasBlob(containerRef)) {
+            throw new OrasException(new HttpClient.ResponseWrapper<>("", 404, Map.of()));
         }
+        URI uri = URI.create(
+                "%s://%s".formatted(getScheme(), containerRef.forRegistry(this).getBlobsPath(this)));
+        HttpClient.ResponseWrapper<String> response = client.get(
+                uri,
+                Map.of(Const.ACCEPT_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
+                Scopes.of(this, containerRef),
+                authProvider);
+        logResponse(response);
+        handleError(response);
+        byte[] data = response.response().getBytes(StandardCharsets.UTF_8);
+        validateDockerContentDigest(response, data);
+        return data;
     }
 
     @Override
@@ -506,6 +516,7 @@ public void fetchBlob(ContainerRef containerRef, Path path) {
                 authProvider);
         logResponse(response);
         handleError(response);
+        validateDockerContentDigest(response, path);
     }
 
     @Override
@@ -522,6 +533,7 @@ public InputStream fetchBlob(ContainerRef containerRef) {
                 authProvider);
         logResponse(response);
         handleError(response);
+        validateDockerContentDigest(response);
         return response.response();
     }
 
@@ -530,8 +542,8 @@ public Descriptor fetchBlobDescriptor(ContainerRef containerRef) {
         HttpClient.ResponseWrapper<String> response = headBlob(containerRef);
         handleError(response);
         String size = response.headers().get(Const.CONTENT_LENGTH_HEADER.toLowerCase());
-        String digest = response.headers().get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
-        return Descriptor.of(digest, Long.parseLong(size), Const.DEFAULT_DESCRIPTOR_MEDIA_TYPE);
+        return Descriptor.of(
+                validateDockerContentDigest(response), Long.parseLong(size), Const.DEFAULT_DESCRIPTOR_MEDIA_TYPE);
     }
 
     @Override
@@ -562,15 +574,16 @@ public Descriptor getDescriptor(ContainerRef containerRef) {
         HttpClient.ResponseWrapper<String> response = getManifestResponse(containerRef);
         handleError(response);
         String size = response.headers().get(Const.CONTENT_LENGTH_HEADER.toLowerCase());
-        String digest = response.headers().get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
         String contentType = response.headers().get(Const.CONTENT_TYPE_HEADER.toLowerCase());
-        return Descriptor.of(digest, Long.parseLong(size), contentType).withJson(response.response());
+        return Descriptor.of(validateDockerContentDigest(response), Long.parseLong(size), contentType)
+                .withJson(response.response());
     }
 
     @Override
     public Descriptor probeDescriptor(ContainerRef ref) {
         Map<String, String> headers = getHeaders(ref);
-        String digest = headers.get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
+        String digest = validateDockerContentDigest(headers);
+        SupportedAlgorithm.fromDigest(digest);
         String contentType = headers.get(Const.CONTENT_TYPE_HEADER.toLowerCase());
         return Descriptor.of(digest, 0L, contentType);
     }
@@ -594,16 +607,58 @@ private HttpClient.ResponseWrapper<String> getManifestResponse(ContainerRef cont
                 uri, Map.of("Accept", Const.MANIFEST_ACCEPT_TYPE), Scopes.of(this, containerRef), authProvider);
     }
 
-    private byte[] ensureDigest(ContainerRef ref, byte[] data) {
+    private void validateDockerContentDigest(HttpClient.ResponseWrapper<String> response, byte[] data) {
+        String digest = response.headers().get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
+        // This might happen when blob are hosted other storage.
+        // We need a way to propagate the headers like scoped.
+        // For now just skip validation
+        if (digest == null) {
+            LOG.warn("Docker-Content-Digest header not found in response. Skipping validation.");
+            return;
+        }
+        String computedDigest = SupportedAlgorithm.fromDigest(digest).digest(data);
+        ensureDigest(digest, computedDigest);
+    }
+
+    private void validateDockerContentDigest(HttpClient.ResponseWrapper<Path> response, Path path) {
+        String digest = response.headers().get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
+        // This might happen when blob are hosted other storage.
+        // We need a way to propagate the headers like scoped.
+        // For now just skip validation
+        if (digest == null) {
+            LOG.warn("Docker-Content-Digest header not found in response. Skipping validation.");
+            return;
+        }
+        String computedDigest = SupportedAlgorithm.fromDigest(digest).digest(path);
+        ensureDigest(digest, computedDigest);
+    }
+
+    private String validateDockerContentDigest(HttpClient.ResponseWrapper<?> response) {
+        return validateDockerContentDigest(response.headers());
+    }
+
+    private String validateDockerContentDigest(Map<String, String> headers) {
+        String digest = headers.get(Const.DOCKER_CONTENT_DIGEST_HEADER.toLowerCase());
+        SupportedAlgorithm.fromDigest(digest);
+        return digest;
+    }
+
+    private void ensureDigest(ContainerRef ref, byte[] data) {
         if (ref.getDigest() == null) {
             throw new OrasException("Missing digest");
         }
         SupportedAlgorithm algorithm = SupportedAlgorithm.fromDigest(ref.getDigest());
         String dataDigest = algorithm.digest(data);
-        if (!ref.getDigest().equals(dataDigest)) {
-            throw new OrasException("Digest mismatch: %s != %s".formatted(ref.getDigest(), dataDigest));
+        ensureDigest(ref.getDigest(), dataDigest);
+    }
+
+    private void ensureDigest(String expected, @Nullable String current) {
+        if (current == null) {
+            throw new OrasException("Received null digest");
+        }
+        if (!expected.equals(current)) {
+            throw new OrasException("Digest mismatch: %s != %s".formatted(expected, current));
         }
-        return data;
     }
 
     /**

src/main/java/land/oras/utils/SupportedAlgorithm.java

@@ -25,6 +25,7 @@
 import java.util.regex.Pattern;
 import land.oras.exception.OrasException;
 import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
 
 /**
  * Supported algorithms for digest.
@@ -38,27 +39,28 @@ public enum SupportedAlgorithm {
      * SHA-1
      * This is unsecure, only useful when computing digests for git content (like Flux CD)
      */
-    SHA1("SHA-1", "sha1"),
+    SHA1("SHA-1", "sha1", 20),
 
     /**
      * SHA-256
      */
-    SHA256("SHA-256", "sha256"),
+    SHA256("SHA-256", "sha256", 32),
 
     /**
      * SHA-384
      */
-    SHA384("SHA-384", "sha384"),
+    SHA384("SHA-384", "sha384", 48),
 
     /**
      * SHA-512
      */
-    SHA512("SHA-512", "sha512"),
+    SHA512("SHA-512", "sha512", 64),
 
     /**
      * BLAKE3
      */
-    BLAKE3("BLAKE3-256", "blake3");
+    BLAKE3("BLAKE3-256", "blake3", 32),
+    ;
 
     /**
      * The algorithm
@@ -70,6 +72,11 @@ public enum SupportedAlgorithm {
      */
     private final String prefix;
 
+    /**
+     * Size of the digest in bytes
+     */
+    private final int size;
+
     /**
      * Regex for a digest
      * <a href="https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests">Digests</a>
@@ -81,9 +88,10 @@ public enum SupportedAlgorithm {
      * @param algorithm The algorithm
      * @param prefix The prefix
      */
-    SupportedAlgorithm(String algorithm, String prefix) {
+    SupportedAlgorithm(String algorithm, String prefix, int size) {
         this.algorithm = algorithm;
         this.prefix = prefix;
+        this.size = size;
     }
 
     /**
@@ -102,6 +110,14 @@ public String getAlgorithmName() {
         return algorithm;
     }
 
+    /**
+     * Get the size of the digest
+     * @return The size
+     */
+    public int getSize() {
+        return size;
+    }
+
     /**
      * Digest a byte array
      * @param bytes The bytes
@@ -134,7 +150,7 @@ public String digest(InputStream inputStream) {
      * @param digest The digest
      * @return True if supported
      */
-    public static boolean matchPattern(String digest) {
+    static boolean matchPattern(String digest) {
         return DIGEST_REGEX.matcher(digest).matches();
     }
 
@@ -149,6 +165,12 @@ public static boolean isSupported(String digest) {
         }
         for (SupportedAlgorithm algorithm : SupportedAlgorithm.values()) {
             if (digest.startsWith(algorithm.getPrefix())) {
+                // Check the size
+                String value = digest.substring(algorithm.getPrefix().length() + 1);
+                if (value.length() != algorithm.getSize() * 2) {
+                    throw new OrasException("Invalid digest %s, expected size is %d, but got %d"
+                            .formatted(digest, algorithm.getSize(), value.length()));
+                }
                 return true;
             }
         }
@@ -160,7 +182,10 @@ public static boolean isSupported(String digest) {
      * @param digest The digest
      * @return The algorithm
      */
-    public static SupportedAlgorithm fromDigest(String digest) {
+    public static SupportedAlgorithm fromDigest(@Nullable String digest) {
+        if (digest == null) {
+            throw new OrasException("Digest is null");
+        }
         if (!DIGEST_REGEX.matcher(digest).matches()) {
             throw new OrasException("Invalid digest: " + digest);
         }

src/test/java/land/oras/DockerIoITCase.java

@@ -26,7 +26,10 @@
 import java.nio.file.Path;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
 
+@Execution(ExecutionMode.CONCURRENT)
 public class DockerIoITCase {
 
     @TempDir

src/test/java/land/oras/GitHubContainerRegistryITCase.java

@@ -26,7 +26,10 @@
 import java.nio.file.Path;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
 
+@Execution(ExecutionMode.CONCURRENT)
 public class GitHubContainerRegistryITCase {
 
     @TempDir

src/test/java/land/oras/JFrogArtifactoryITCase.java

@@ -26,7 +26,10 @@
 import java.nio.file.Path;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
 
+@Execution(ExecutionMode.CONCURRENT)
 public class JFrogArtifactoryITCase {
 
     @TempDir

src/test/java/land/oras/LayoutRefTest.java

@@ -54,11 +54,14 @@ void shouldParseLayoutWithAllParts() {
     @Test
     void shouldParseLayoutWithDigest() {
         String ociLayout = tempDir.resolve("foo").toString();
-        LayoutRef layoutRef = LayoutRef.parse("%s@sha256:12345".formatted(ociLayout));
-        assertEquals("sha256:12345", layoutRef.getTag());
+        LayoutRef layoutRef = LayoutRef.parse(
+                "%s@sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824".formatted(ociLayout));
+        assertEquals("sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", layoutRef.getTag());
         assertEquals(ociLayout, layoutRef.getFolder().toString());
         assertEquals(ociLayout, layoutRef.getRepository());
-        assertTrue(layoutRef.isValidDigest(), "sha256:12345 should be a valid digest pattern");
+        assertTrue(
+                layoutRef.isValidDigest(),
+                "sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 should be a valid digest pattern");
     }
 
     @Test
@@ -85,9 +88,10 @@ void shouldFailWithInvalidRef() {
     void shouldGetAlgorithm() {
         LayoutRef layoutRef = LayoutRef.parse("foo");
         assertEquals("sha256", layoutRef.getAlgorithm().getPrefix());
-        layoutRef = LayoutRef.parse("foo@sha256:12345");
+        layoutRef = LayoutRef.parse("foo@sha256:");
         assertEquals("sha256", layoutRef.getAlgorithm().getPrefix());
-        layoutRef = LayoutRef.parse("foo@sha512:12345");
+        layoutRef = LayoutRef.parse(
+                "foo@sha512:cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e");
         assertEquals("sha512", layoutRef.getAlgorithm().getPrefix());
     }
 }