fix assertion hash

Author: sujankota

sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java

@@ -23,6 +23,7 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import io.opentdf.platform.sdk.TDF.AssertionException;
+import org.apache.commons.codec.binary.Hex;
 import org.erdtman.jcs.JsonCanonicalizer;
 
 import java.io.IOException;
@@ -351,7 +352,7 @@ public int hashCode() {
             return Objects.hash(id, type, scope, appliesToState, statement, binding);
         }
 
-        public byte[] hash() throws IOException {
+        public String hash() throws IOException {
             MessageDigest digest;
             try {
                 digest = MessageDigest.getInstance("SHA-256");
@@ -361,7 +362,7 @@ public byte[] hash() throws IOException {
 
             var assertionAsJson = gson.toJson(this);
             JsonCanonicalizer jc = new JsonCanonicalizer(assertionAsJson);
-            return digest.digest(jc.getEncodedUTF8());
+            return Hex.encodeHexString(digest.digest(jc.getEncodedUTF8()));
         }
 
         // Sign the assertion with the given hash and signature using the key.

sdk/src/main/java/io/opentdf/platform/sdk/TDF.java

@@ -417,7 +417,7 @@ private static byte[] calculateSignature(byte[] data, byte[] secret, Config.Inte
     public TDFObject createTDF(InputStream payload,
             OutputStream outputStream,
             Config.TDFConfig tdfConfig, SDK.KAS kas, AttributesServiceFutureStub attrService)
-            throws IOException, JOSEException, AutoConfigureException, InterruptedException, ExecutionException {
+            throws IOException, JOSEException, AutoConfigureException, InterruptedException, ExecutionException, DecoderException {
 
         if (tdfConfig.autoconfigure) {
             Autoconfigure.Granter granter = new Autoconfigure.Granter(new ArrayList<>());
@@ -532,7 +532,8 @@ public TDFObject createTDF(InputStream payload,
             assertion.statement = assertionConfig.statement;
             assertion.appliesToState = assertionConfig.appliesToState.toString();
 
-            var assertionHash = assertion.hash();
+            var assertionHashAsHex = assertion.hash();
+            var assertionHash = Hex.decodeHex(assertionHashAsHex);
             byte[] completeHash = new byte[aggregateHash.size() + assertionHash.length];
             System.arraycopy(aggregateHash.toByteArray(), 0, completeHash, 0, aggregateHash.size());
             System.arraycopy(assertionHash, 0, completeHash, aggregateHash.size(), assertionHash.length);
@@ -545,7 +546,7 @@ public TDFObject createTDF(InputStream payload,
                 assertionSigningKey = assertionConfig.assertionKey;
             }
             var hashValues = new Manifest.Assertion.HashValues(
-                    Base64.getEncoder().encodeToString(assertionHash),
+                    assertionHashAsHex,
                     encodedHash
             );
             assertion.sign(hashValues, assertionSigningKey);
@@ -707,7 +708,7 @@ public Reader loadTDF(SeekableByteChannel tdf, SDK.KAS kas,
             throw new SegmentSizeMismatch("mismatch encrypted segment size in manifest");
         }
 
-        var aggregateSignatureBytes = aggregateHash.toByteArray();
+        var aggregateHashByteArrayBytes = aggregateHash.toByteArray();
         // Validate assertions
         for (var assertion : manifest.assertions) {
             // Skip assertion verification if disabled
@@ -726,22 +727,17 @@ public Reader loadTDF(SeekableByteChannel tdf, SDK.KAS kas,
             }
 
             var hashValues = assertion.verify(assertionKey);
-            var assertionAsJson = gson.toJson(assertion);
-            JsonCanonicalizer jc = new JsonCanonicalizer(assertionAsJson);
-            var hashOfAssertion = digest.digest(jc.getEncodedUTF8());
-            var assertionCompare = isLegacyTdf ? Hex.encodeHexString(hashOfAssertion) : Base64.getEncoder().encodeToString(hashOfAssertion);
+            var hashOfAssertionAsHex = assertion.hash();
 
-            if (!Objects.equals(assertionCompare, hashValues.getAssertionHash())) {
+            if (!Objects.equals(hashOfAssertionAsHex, hashValues.getAssertionHash())) {
                 throw new AssertionException("assertion hash mismatch", assertion.id);
             }
 
-            if (isLegacyTdf) {
-                hashOfAssertion = Hex.encodeHexString(hashOfAssertion).getBytes();
-            }
+            var hashOfAssertion = Hex.decodeHex(hashOfAssertionAsHex);
 
-            var signature = new byte[aggregateSignatureBytes.length + hashOfAssertion.length];
-            System.arraycopy(aggregateSignatureBytes, 0, signature, 0, aggregateSignatureBytes.length);
-            System.arraycopy(hashOfAssertion, 0, signature, aggregateSignatureBytes.length, hashOfAssertion.length);
+            var signature = new byte[aggregateHashByteArrayBytes.length + hashOfAssertion.length];
+            System.arraycopy(aggregateHashByteArrayBytes, 0, signature, 0, aggregateHashByteArrayBytes.length);
+            System.arraycopy(hashOfAssertion, 0, signature, aggregateHashByteArrayBytes.length, hashOfAssertion.length);
             var encodeSignature = Base64.getEncoder().encodeToString(signature);
 
             if (!Objects.equals(encodeSignature, hashValues.getSignature())) {