From 8fd58b3c0261e32e38c582589625612df69a28da Mon Sep 17 00:00:00 2001 From: Bruce Collie Date: Thu, 20 Jun 2024 13:03:16 +0100 Subject: [PATCH] Use Java standard SHA3 implementation (#4459) We get a lot of noisy security alerts about a dependency on Bouncycastle, which was introduced historically to work around the lack of a SHA3-256 implementation in standard Java. This PR removes the dependency by porting its single usage (rule digests / `UNIQUE_ID`s) over to use new features in the standard library. The IDs produced after this change are identical to their previous form. --- flake.nix | 2 +- k-frontend/pom.xml | 5 ---- .../kframework/compile/NumberSentences.java | 24 ++++++++++++------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/flake.nix b/flake.nix index a40b480d72c..79ac2932abe 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,7 @@ k-framework = { haskell-backend-bins, llvm-kompile-libs }: prev.callPackage ./nix/k.nix { - mvnHash = "sha256-6rGuU8NFSp3lQVxxPj5WREpNVPneMqPH45DFEmLiH6I="; + mvnHash = "sha256-HkAwMZq2vvrnEgT1Ksoxb5YnQ8+CMQdB2Sd/nR0OttU="; manualMvnArtifacts = [ "org.scala-lang:scala-compiler:2.13.13" "ant-contrib:ant-contrib:1.0b3" diff --git a/k-frontend/pom.xml b/k-frontend/pom.xml index 7d952fde02e..28a49659908 100644 --- a/k-frontend/pom.xml +++ b/k-frontend/pom.xml @@ -24,11 +24,6 @@ org.eclipse.lsp4j 0.19.0 - - org.bouncycastle - bcprov-jdk15on - 1.69 - com.google.inject guice diff --git a/k-frontend/src/main/java/org/kframework/compile/NumberSentences.java b/k-frontend/src/main/java/org/kframework/compile/NumberSentences.java index cf0f63656f1..7953a1b2b1c 100644 --- a/k-frontend/src/main/java/org/kframework/compile/NumberSentences.java +++ b/k-frontend/src/main/java/org/kframework/compile/NumberSentences.java @@ -1,13 +1,15 @@ // Copyright (c) Runtime Verification, Inc. All Rights Reserved. package org.kframework.compile; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; +import java.util.HexFormat; import java.util.List; -import org.bouncycastle.jcajce.provider.digest.SHA3; -import org.bouncycastle.util.encoders.Hex; import org.kframework.attributes.Att; import org.kframework.definition.RuleOrClaim; import org.kframework.definition.Sentence; +import org.kframework.utils.errorsystem.KEMException; public class NumberSentences { @@ -31,17 +33,23 @@ public static Sentence number(Sentence s) { preservedAtts.stream() .filter(att -> s.att().contains(att)) .map(att -> Att.empty().add(att, s.att().get(att))) - .reduce(Att.empty(), (acc, elem) -> acc.addAll(elem)); + .reduce(Att.empty(), Att::addAll); String id = ruleHash(s.withAtt(a)); return s.withAtt(s.att().add(Att.UNIQUE_ID(), id)); } private static String ruleHash(Sentence s) { - String text = new NormalizeVariables().normalize(s).toString(); - SHA3.Digest256 sha3engine = new SHA3.Digest256(); - byte[] digest = sha3engine.digest(text.getBytes()); - String digestString = Hex.toHexString(digest); - return digestString; + try { + String text = new NormalizeVariables().normalize(s).toString(); + byte[] digest = MessageDigest.getInstance("SHA3-256").digest(text.getBytes()); + return HexFormat.of().formatHex(digest); + } catch (NoSuchAlgorithmException e) { + // This exception should never actually be thrown in practice; it's just a limitation of the + // Java cryptography APIs that we need to request algorithms by constant string keys and cope + // with them potentially not existing. SHA3-256 is part of the Java standard library from JDK + // 17 onwards. + throw KEMException.criticalError("Error computing rule digest (SHA3-256 unavailable)", e); + } } }