Remove SHA1

cosmos · Jan 26, 2022 · f812fe7 · f812fe7
1 parent e098e76
commit f812fe7
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 82 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@ and this project adheres to
 
 ## [Unreleased]
 
+### Removed
+
+- @cosmjs/crypto: Remove the SHA1 implementation (`Sha1` and `sha1`) as it is
+  not used in the Cosmos tech stack and not implemented in the hashing lib we
+  want to migrate to ([#1003]). Also it has known weaknesses.
+
+[#1003]: https://github.com/cosmos/cosmjs/issues/1003
+
 ## [0.27.1] - 2022-01-26
 
 ### Added

diff --git a/packages/crypto/src/hmac.spec.ts b/packages/crypto/src/hmac.spec.ts
@@ -1,59 +1,9 @@
 import { fromHex } from "@cosmjs/encoding";
 
 import { Hmac } from "./hmac";
-import { Sha1, Sha256, Sha512 } from "./sha";
+import { Sha256, Sha512 } from "./sha";
 
 describe("HMAC", () => {
-  it("can perform HMAC(SHA1) according to Botan test vectors", () => {
-    // https://github.com/randombit/botan/blob/a5a260c/src/tests/data/mac/hmac.vec
-    {
-      const hmac = new Hmac(Sha1, fromHex("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"));
-      hmac.update(fromHex("4869205468657265"));
-      expect(hmac.digest()).toEqual(fromHex("B617318655057264E28BC0B6FB378C8EF146BE00"));
-    }
-    {
-      const hmac = new Hmac(Sha1, fromHex("0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C"));
-      hmac.update(fromHex("546573742057697468205472756E636174696F6E"));
-      expect(hmac.digest()).toEqual(fromHex("4C1A03424B55E07FE7F27BE1D58BB9324A9A5A04"));
-    }
-    {
-      const hmac = new Hmac(Sha1, fromHex("4CA0EF38F1794B28A8F8EE110EE79D48CE13BE25"));
-      hmac.update(
-        fromHex(
-          "54657374205573696E67204C6172676572205468616E20426C6F636B2D53697A65204B6579202D2048617368204B6579204669727374",
-        ),
-      );
-      expect(hmac.digest()).toEqual(fromHex("AA4AE5E15272D00E95705637CE8A3B55ED402112"));
-    }
-    {
-      const hmac = new Hmac(Sha1, fromHex("4CA0EF38F1794B28A8F8EE110EE79D48CE13BE25"));
-      hmac.update(
-        fromHex(
-          "54657374205573696E67204C6172676572205468616E20426C6F636B2D53697A65204B657920616E64204C6172676572205468616E204F6E6520426C6F636B2D53697A652044617461",
-        ),
-      );
-      expect(hmac.digest()).toEqual(fromHex("E8E99D0F45237D786D6BBAA7965C7808BBFF1A91"));
-    }
-    {
-      const hmac = new Hmac(Sha1, fromHex("0102030405060708090A0B0C0D0E0F10111213141516171819"));
-      hmac.update(
-        fromHex(
-          "CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD",
-        ),
-      );
-      expect(hmac.digest()).toEqual(fromHex("4C9007F4026250C6BC8414F9BF50C86C2D7235DA"));
-    }
-    {
-      const hmac = new Hmac(Sha1, fromHex("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
-      hmac.update(
-        fromHex(
-          "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
-        ),
-      );
-      expect(hmac.digest()).toEqual(fromHex("125D7342B9AC11CD91A39AF48AA17B4F63F175D3"));
-    }
-  });
-
   it("can perform HMAC(SHA256) according to Botan test vectors", () => {
     // https://github.com/randombit/botan/blob/a5a260c/src/tests/data/mac/hmac.vec#L60
     {
@@ -199,7 +149,11 @@ describe("HMAC", () => {
   });
 
   it("can perform incremental hashing", () => {
-    const hmac = new Hmac(Sha1, fromHex("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"));
+    // https://github.com/randombit/botan/blob/a5a260c/src/tests/data/mac/hmac.vec#L73-L75
+    const hmac = new Hmac(
+      Sha256,
+      fromHex("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"),
+    );
     // full message: 4869205468657265
     hmac.update(fromHex(""));
     hmac.update(fromHex("48"));
@@ -210,7 +164,9 @@ describe("HMAC", () => {
     hmac.update(fromHex("5468"));
     hmac.update(fromHex("657265"));
     hmac.update(fromHex(""));
-    expect(hmac.digest()).toEqual(fromHex("B617318655057264E28BC0B6FB378C8EF146BE00"));
+    expect(hmac.digest()).toEqual(
+      fromHex("198A607EB44BFBC69903A0F1CF2BBDC5BA0AA3F3D9AE3C1C7A3B1696A0B68CF7"),
+    );
   });
 
   it("works with empty keys", () => {

diff --git a/packages/crypto/src/index.ts b/packages/crypto/src/index.ts
@@ -16,7 +16,7 @@ export { Random } from "./random";
 export { Ripemd160, ripemd160 } from "./ripemd";
 export { Secp256k1, Secp256k1Keypair } from "./secp256k1";
 export { ExtendedSecp256k1Signature, Secp256k1Signature } from "./secp256k1signature";
-export { Sha1, sha1, Sha256, sha256, Sha512, sha512 } from "./sha";
+export { Sha256, sha256, Sha512, sha512 } from "./sha";
 export {
   HdPath,
   pathToString,

diff --git a/packages/crypto/src/sha.ts b/packages/crypto/src/sha.ts
@@ -3,34 +3,6 @@ import shajs from "sha.js";
 
 import { HashFunction } from "./hash";
 
-export class Sha1 implements HashFunction {
-  public readonly blockSize = 512 / 8;
-
-  private readonly impl: Hash;
-
-  public constructor(firstData?: Uint8Array) {
-    this.impl = shajs("sha1");
-
-    if (firstData) {
-      this.update(firstData);
-    }
-  }
-
-  public update(data: Uint8Array): Sha1 {
-    this.impl.update(data);
-    return this;
-  }
-
-  public digest(): Uint8Array {
-    return new Uint8Array(this.impl.digest());
-  }
-}
-
-/** Convenience function equivalent to `new Sha1(data).digest()` */
-export function sha1(data: Uint8Array): Uint8Array {
-  return new Sha1(data).digest();
-}
-
 export class Sha256 implements HashFunction {
   public readonly blockSize = 512 / 8;