Add SHA-1 to subresource integrity format for download() checksums

Alex Eagle · copybara-github · commit c9e2be52a067 · 2021-01-25T06:22:56.000-08:00
npm packages commonly still use SHA-1. While it may be discouraged for its poor security, Bazel cannot enforce what external ecosystems currently do. I tested this locally against a feature we are working on in rules_nodejs. Closes bazelbuild#12777. PiperOrigin-RevId: 353633120
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java b/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java
@@ -43,6 +43,11 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
     byte[] hash = null;
     int expectedLength = 0;
 
+    if (integrity.startsWith("sha1-")) {
+      keyType = KeyType.SHA1;
+      expectedLength = 20;
+      hash = decoder.decode(integrity.substring(5));
+    }
     if (integrity.startsWith("sha256-")) {
       keyType = KeyType.SHA256;
       expectedLength = 32;
@@ -63,7 +68,7 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
       throw new IllegalArgumentException(
           "Unsupported checksum algorithm: '"
               + integrity
-              + "' (expected SHA-256, SHA-384, or SHA-512)");
+              + "' (expected SHA-1, SHA-256, SHA-384, or SHA-512)");
     }
 
     if (hash.length != expectedLength) {
