SHA256 Secret Masking

June 5, 2020

MASKED using SHA256

The MD5MSK operation will be removed in the next breaking change. The new operation MASKED does not reference the algorithm to allow for changes (though unlikely) in the future.

MASKED $PASSWORD

Returns uppercase (as per MD5MSK, in both Linux and Windows) checksum.

A591A6D40BF420404A011733CFB7B190D62C65BF0BCDA32B57B277D9AD9F146E

VARCHK secret mask

Also for the VARCHK operation, when a property is secret or checksum verified, SHA256 algoithm is used. For this example property file

# Verify variable is populated and log the checksum value
AES_KEY=secret

# Verify variable is populated, and the SHA256 matches, support literal or variable
AES_KEY=90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5
AES_KEY=$env:AES_KEY_MASK

When checked

$env:AES_KEY_MASK = (MASKED $env:AES_KEY)
VARCHK properties.varchk

Will return

[Transform.ps1] PROPFILE  : properties.varchk
[Transform.ps1]   env:AES_KEY = secret
[Transform.ps1]   env:AES_KEY = 90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5
[Transform.ps1]   env:AES_KEY = 90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5

  $env:AES_KEY = 90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5 (MASKED required secret)
  $env:AES_KEY = 90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5 (MASKED check success)
  $env:AES_KEY = 90BF7460FFDFE121C41AAFDF6B7D33EB08ACD0736D8B0A0B461E595E32DE26F5 (MASKED check success)

For full release details for CDAF 2.5.2 see http://cdaf.io/release