From 2cf02a4ca94f9ff718b5c1ced7d389818268dbae Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 14 Mar 2024 12:53:16 -0600
Subject: [PATCH] return err when an unsupported hash alg is provided

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/artifact/digest/digest.go      | 7 +++++--
 pkg/cmd/attestation/artifact/digest/digest_test.go | 8 ++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/attestation/artifact/digest/digest.go b/pkg/cmd/attestation/artifact/digest/digest.go
index f90884c1e..3351bf384 100644
--- a/pkg/cmd/attestation/artifact/digest/digest.go
+++ b/pkg/cmd/attestation/artifact/digest/digest.go
@@ -14,7 +14,10 @@ const (
 	SHA512DigestAlgorithm = "sha512"
 )
 
-var validDigestAlgorithms = [...]string{SHA256DigestAlgorithm, SHA512DigestAlgorithm}
+var (
+	errUnsupportedAlgorithm = fmt.Errorf("unsupported digest algorithm")
+	validDigestAlgorithms   = [...]string{SHA256DigestAlgorithm, SHA512DigestAlgorithm}
+)
 
 // IsValidDigestAlgorithm returns true if the provided algorithm is supported
 func IsValidDigestAlgorithm(alg string) bool {
@@ -39,7 +42,7 @@ func CalculateDigestWithAlgorithm(r io.Reader, alg string) (string, error) {
 	case SHA512DigestAlgorithm:
 		h = sha512.New()
 	default:
-		h = sha256.New()
+		return "", errUnsupportedAlgorithm
 	}
 
 	if _, err := io.Copy(h, r); err != nil {
diff --git a/pkg/cmd/attestation/artifact/digest/digest_test.go b/pkg/cmd/attestation/artifact/digest/digest_test.go
index fb611b318..bcfd2c1ac 100644
--- a/pkg/cmd/attestation/artifact/digest/digest_test.go
+++ b/pkg/cmd/attestation/artifact/digest/digest_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestArtifactDigestWithAlgorithm(t *testing.T) {
@@ -25,6 +26,13 @@ func TestArtifactDigestWithAlgorithm(t *testing.T) {
 		assert.Nil(t, err)
 		assert.Equal(t, sha512TestDigest, digest)
 	})
+
+	t.Run("fail with sha384", func(t *testing.T) {
+		reader := strings.NewReader(testString)
+		_, err := CalculateDigestWithAlgorithm(reader, "sha384")
+		require.Error(t, err)
+		require.ErrorAs(t, err, &errUnsupportedAlgorithm)
+	})
 }
 
 func TestValidDigestAlgorithms(t *testing.T) {