1 // Copyright 2022 The Sigstore Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package verification 16 17 import ( 18 "crypto" 19 20 "github.com/digitorus/timestamp" 21 "github.com/pkg/errors" 22 ) 23 24 var ErrWeakHashAlg = errors.New("weak hash algorithm: must be SHA-256, SHA-384, or SHA-512") 25 26 func VerifyRequest(ts *timestamp.Request) error { 27 // only SHA-1, SHA-256, SHA-384, and SHA-512 are supported by the underlying library 28 if ts.HashAlgorithm == crypto.SHA1 { 29 return ErrWeakHashAlg 30 } 31 return nil 32 } 33