Skip to content

engine/schema: prepend algorithm to checksum during systemvm template registration #12165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
weizhouapache wants to merge 3 commits into
base: 4.22
Choose a base branch
from
+17 −2
Open

engine/schema: prepend algorithm to checksum during systemvm template registration #12165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
97424f2
engine/schema: prepend algorithm to checksum during systemvm template…
weizhouapache Nov 28, 2025
4f08312
Merge branch '4.22' into 4.22-prepend-sha512-algorithm-to-checksum
weizhouapache Jan 15, 2026
2b8a847
Update utils/src/main/java/org/apache/cloudstack/utils/security/Diges…
weizhouapache Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,7 @@ private VMTemplateVO createTemplateObjectInDB(SystemVMTemplateDetails details) {
template.setBits(64);
template.setAccountId(Account.ACCOUNT_ID_SYSTEM);
template.setUrl(details.getUrl());
template.setChecksum(details.getChecksum());
template.setChecksum(DigestHelper.prependAlgorithm(details.getChecksum()));
template.setEnablePassword(false);
template.setDisplayText(details.getName());
template.setFormat(details.getFormat());
Expand Down Expand Up @@ -1008,7 +1008,7 @@ private void updateRegisteredTemplateDetails(Long templateId, MetadataTemplateDe

private void updateTemplateUrlChecksumAndGuestOsId(VMTemplateVO templateVO, MetadataTemplateDetails templateDetails) {
templateVO.setUrl(templateDetails.getUrl());
templateVO.setChecksum(templateDetails.getChecksum());
templateVO.setChecksum(DigestHelper.prependAlgorithm(templateDetails.getChecksum()));
GuestOSVO guestOS = guestOSDao.findOneByDisplayName(templateDetails.getGuestOs());
if (guestOS != null) {
templateVO.setGuestOSId(guestOS.getId());
Expand Down
15 changes: 15 additions & 0 deletions utils/src/main/java/org/apache/cloudstack/utils/security/DigestHelper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,4 +142,19 @@ public static String calculateChecksum(File file) {
throw new CloudRuntimeException(errMsg, e);
}
}

public static String prependAlgorithm(String checksum) {
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new prependAlgorithm method lacks test coverage. Add test cases covering: (1) checksum without prefix for each supported algorithm, (2) checksum that already has a prefix, (3) null/empty checksum, (4) checksum with invalid length that doesn't match any algorithm.

Copilot uses AI. Check for mistakes.
if (StringUtils.isEmpty(checksum)) {
return checksum;
}
int checksumLength = checksum.length();
Map<String, Integer> paddingLengths = getChecksumLengthsMap();
for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) {
if (entry.getValue().equals(checksumLength)) {
String algorithm = entry.getKey();
return String.format("{%s}%s", algorithm, checksum);
}
}
Comment on lines +152 to +157
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When multiple hash algorithms have different lengths but one checksum length could theoretically match multiple entries in the map, the iteration order is non-deterministic since getChecksumLengthsMap() returns a HashMap. While the current set of algorithms have unique lengths, this creates ambiguity. Consider using a LinkedHashMap with algorithms ordered by preference (most secure first), or add a comment documenting that all supported algorithms have unique digest lengths.

Suggested change
for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) {
if (entry.getValue().equals(checksumLength)) {
String algorithm = entry.getKey();
return String.format("{%s}%s", algorithm, checksum);
}
}
String selectedAlgorithm = null;
// In case multiple algorithms share the same digest length, choose deterministically
for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) {
if (entry.getValue().equals(checksumLength)) {
String algorithm = entry.getKey();
if (selectedAlgorithm == null || algorithm.compareTo(selectedAlgorithm) < 0) {
selectedAlgorithm = algorithm;
}
}
}
if (selectedAlgorithm != null) {
return String.format("{%s}%s", selectedAlgorithm, checksum);
}

Copilot uses AI. Check for mistakes.
return checksum;
}
Comment on lines +146 to +159
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prependAlgorithm method doesn't check if the algorithm prefix is already present before prepending, which could result in double-prefixing (e.g., {SHA-512}{SHA-512}checksum). Add a check using the existing isAlgorithmPresent() method at the start of the function to return the checksum unchanged if it already has the prefix.

Copilot uses AI. Check for mistakes.
}
Loading