fix: update hash format validation to -01 spec (plain base64url, no prefix)

Go ValidateHashFormat was still validating the old -00 format (algorithm:base64url with sha-256/sha-384/sha-512 prefix). Updated to validate plain base64url without prefix per -01 spec and RFC 9449. Python was already updated but uncommitted. Both refimpls now match.
2026-04-11 17:51:29 +02:00
parent 884d2dc836
commit ba38569319
5 changed files with 38 additions and 46 deletions
--- a/refimpl/python/tests/test_validate.py
+++ b/refimpl/python/tests/test_validate.py
@@ -47,17 +47,18 @@ def test_validate_hash_format_empty():


 def test_validate_hash_format_ok():
-    # sha-256:base64url (minimal valid)
-    validate_hash_format("sha-256:YQ")
-    validate_hash_format("sha-384:YQ")
-    validate_hash_format("sha-512:YQ")
+    # Plain base64url per RFC 9449 / ECT spec (no algorithm prefix)
+    validate_hash_format("YQ")
+    validate_hash_format("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
+    validate_hash_format("abc123-_XYZ")


 def test_validate_hash_format_bad():
-    with pytest.raises(ValueError, match="algorithm:base64url|inp_hash"):
-        validate_hash_format("md5:abc")
-    with pytest.raises(ValueError, match="algorithm:base64url|inp_hash"):
-        validate_hash_format("no-colon")
-    # Invalid base64 that triggers decode error (e.g. binary)
-    with pytest.raises(ValueError, match="algorithm:base64url|inp_hash"):
-        validate_hash_format("sha-256:YQ\x00")  # null in payload
+    # Colon is not valid base64url — rejects old prefixed format
+    with pytest.raises(ValueError, match="plain base64url"):
+        validate_hash_format("sha-256:YQ")
+    with pytest.raises(ValueError, match="plain base64url"):
+        validate_hash_format("not valid!!")
+    # Null byte in payload
+    with pytest.raises(ValueError, match="plain base64url"):
+        validate_hash_format("YQ\x00")