bzr 0.2.0

A CLI for Bugzilla, inspired by gh
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use sha2::{Digest, Sha256};

use crate::error::{BzrError, Result};

const PIN_PREFIX: &str = "sha256//";

/// Compute a SHA-256 certificate fingerprint in `sha256//<base64>` format.
///
/// The input is a DER-encoded certificate (or any raw bytes). The output
/// matches the HPKP / TLS certificate pinning pin format.
pub(crate) fn compute_fingerprint(der: &[u8]) -> String {
    let hash = Sha256::digest(der);
    format!("{PIN_PREFIX}{}", BASE64_STANDARD.encode(hash))
}

/// Parse a `sha256//<base64>` pin string into a 32-byte SHA-256 hash.
///
/// Returns `InputValidation` errors for:
/// - missing `sha256//` prefix
/// - invalid base64 encoding
/// - decoded length that is not exactly 32 bytes
pub(crate) fn parse_pin(pin: &str) -> Result<[u8; 32]> {
    let b64 = pin.strip_prefix(PIN_PREFIX).ok_or_else(|| {
        BzrError::InputValidation(format!("pin must start with `sha256//`: {pin}"))
    })?;

    let decoded = BASE64_STANDARD
        .decode(b64)
        .map_err(|e| BzrError::InputValidation(format!("pin has invalid base64 encoding: {e}")))?;

    decoded.try_into().map_err(|v: Vec<u8>| {
        BzrError::InputValidation(format!("pin decoded to {} bytes, expected 32", v.len()))
    })
}

#[cfg(test)]
#[expect(clippy::unwrap_used)]
mod tests {
    use super::*;

    #[test]
    fn compute_fingerprint_deterministic() {
        let input = b"example certificate bytes";
        let fp1 = compute_fingerprint(input);
        let fp2 = compute_fingerprint(input);
        assert_eq!(fp1, fp2);
        assert!(
            fp1.starts_with("sha256//"),
            "fingerprint must start with sha256//"
        );
    }

    #[test]
    fn compute_fingerprint_format() {
        let fp = compute_fingerprint(b"test data");
        assert!(
            fp.starts_with("sha256//"),
            "fingerprint must start with sha256//"
        );
        let b64_part = fp.strip_prefix("sha256//").unwrap();
        let decoded = BASE64_STANDARD.decode(b64_part);
        assert!(
            decoded.is_ok(),
            "base64 portion must decode successfully: {decoded:?}"
        );
    }

    #[test]
    fn round_trip_through_parse_pin() {
        let input = b"some DER-encoded cert";
        let expected_hash: [u8; 32] = Sha256::digest(input).into();
        let fp = compute_fingerprint(input);
        let parsed = parse_pin(&fp).unwrap();
        assert_eq!(parsed, expected_hash);
    }

    #[test]
    fn parse_pin_rejects_bad_prefix() {
        let result = parse_pin("md5//abcdef");
        assert!(result.is_err());
        let msg = result.unwrap_err().to_string();
        assert!(
            msg.contains("sha256//"),
            "error should mention sha256//: {msg}"
        );
    }

    #[test]
    fn parse_pin_rejects_bad_base64() {
        let result = parse_pin("sha256//!!!not-valid-base64!!!");
        assert!(result.is_err());
        let msg = result.unwrap_err().to_string();
        assert!(msg.contains("base64"), "error should mention base64: {msg}");
    }

    #[test]
    fn parse_pin_rejects_wrong_length() {
        // Valid base64, but only 4 bytes when decoded — not 32
        let short = BASE64_STANDARD.encode(b"abc");
        let pin = format!("sha256//{short}");
        let result = parse_pin(&pin);
        assert!(result.is_err());
        let msg = result.unwrap_err().to_string();
        assert!(
            msg.contains("32"),
            "error should mention expected length 32: {msg}"
        );
    }
}