@@ -61,7 +61,7 @@ github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb

 # get graph and distribution packages

 github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c

 github.com/vbatts/tar-split v0.10.2

-github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb

+github.com/opencontainers/go-digest v1.0.0-rc1

 # get go-zfs packages

 github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa

@@ -1,10 +1,10 @@

 # go-digest

-[![GoDoc](https://godoc.org/github.com/docker/go-digest?status.svg)](https://godoc.org/github.com/docker/go-digest) [![Go Report Card](https://goreportcard.com/badge/github.com/docker/go-digest)](https://goreportcard.com/report/github.com/docker/go-digest) [![Build Status](https://travis-ci.org/docker/go-digest.svg?branch=master)](https://travis-ci.org/docker/go-digest)

+[![GoDoc](https://godoc.org/github.com/opencontainers/go-digest?status.svg)](https://godoc.org/github.com/opencontainers/go-digest) [![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/go-digest)](https://goreportcard.com/report/github.com/opencontainers/go-digest) [![Build Status](https://travis-ci.org/opencontainers/go-digest.svg?branch=master)](https://travis-ci.org/opencontainers/go-digest)

 Common digest package used across the container ecosystem.

-Please see the [godoc](https://godoc.org/github.com/docker/go-digest) for more information.

+Please see the [godoc](https://godoc.org/github.com/opencontainers/go-digest) for more information.

 # What is a digest?

@@ -49,7 +49,7 @@ can power a rich, safe, content distribution system.

 # Usage

-While the [godoc](https://godoc.org/github.com/docker/go-digest) is 

+While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is

 considered the best resource, a few important items need to be called 

 out when using this package.

@@ -76,7 +76,7 @@ out when using this package.

 The Go API, at this stage, is considered stable, unless otherwise noted.

-As always, before using a package export, read the [godoc](https://godoc.org/github.com/docker/go-digest).

+As always, before using a package export, read the [godoc](https://godoc.org/github.com/opencontainers/go-digest).

 # Contributing

@@ -88,16 +88,16 @@ the alternatives you tried before submitting a PR.

 # Reporting security issues

-The maintainers take security seriously. If you discover a security 

-issue, please bring it to their attention right away!

+Please DO NOT file a public issue, instead send your report privately to

+security@opencontainers.org.

-Please DO NOT file a public issue, instead send your report privately

-to security@docker.com.

+The maintainers take security seriously. If you discover a security issue,

+please bring it to their attention right away!

-Security reports are greatly appreciated and we will publicly thank you 

-for it. We also like to send gifts—if you're into Docker schwag, make 

-sure to let us know. We currently do not offer a paid security bounty 

-program, but are not ruling it out in the future.

+If you are reporting a security issue, do not create an issue or file a pull

+request on GitHub. Instead, disclose the issue responsibly by sending an email

+to security@opencontainers.org (which is inhabited only by the maintainers of

+the various OCI projects).

 # Copyright and license

@@ -1,3 +1,17 @@

+// Copyright 2017 Docker, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     https://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

 package digest

 import (

@@ -5,6 +19,7 @@ import (

 	"fmt"

 	"hash"

 	"io"

+	"regexp"

 )

 // Algorithm identifies and implementation of a digester by an identifier.

@@ -14,9 +29,9 @@ type Algorithm string

 // supported digest types

 const (

-	SHA256 Algorithm = "sha256" // sha256 with hex encoding

-	SHA384 Algorithm = "sha384" // sha384 with hex encoding

-	SHA512 Algorithm = "sha512" // sha512 with hex encoding

+	SHA256 Algorithm = "sha256" // sha256 with hex encoding (lower case only)

+	SHA384 Algorithm = "sha384" // sha384 with hex encoding (lower case only)

+	SHA512 Algorithm = "sha512" // sha512 with hex encoding (lower case only)

 	// Canonical is the primary digest algorithm used with the distribution

 	// project. Other digests may be used but this one is the primary storage

@@ -36,6 +51,14 @@ var (

 		SHA384: crypto.SHA384,

 		SHA512: crypto.SHA512,

 	}

+

+	// anchoredEncodedRegexps contains anchored regular expressions for hex-encoded digests.

+	// Note that /A-F/ disallowed.

+	anchoredEncodedRegexps = map[Algorithm]*regexp.Regexp{

+		SHA256: regexp.MustCompile(`^[a-f0-9]{64}$`),

+		SHA384: regexp.MustCompile(`^[a-f0-9]{96}$`),

+		SHA512: regexp.MustCompile(`^[a-f0-9]{128}$`),

+	}

 )

 // Available returns true if the digest type is available for use. If this

@@ -111,6 +134,14 @@ func (a Algorithm) Hash() hash.Hash {

 	return algorithms[a].New()

 }

+// Encode encodes the raw bytes of a digest, typically from a hash.Hash, into

+// the encoded portion of the digest.

+func (a Algorithm) Encode(d []byte) string {

+	// TODO(stevvooe): Currently, all algorithms use a hex encoding. When we

+	// add support for back registration, we can modify this accordingly.

+	return fmt.Sprintf("%x", d)

+}

+

 // FromReader returns the digest of the reader using the algorithm.

 func (a Algorithm) FromReader(rd io.Reader) (Digest, error) {

 	digester := a.Digester()

@@ -142,3 +173,20 @@ func (a Algorithm) FromBytes(p []byte) Digest {

 func (a Algorithm) FromString(s string) Digest {

 	return a.FromBytes([]byte(s))

 }

+

+// Validate validates the encoded portion string

+func (a Algorithm) Validate(encoded string) error {

+	r, ok := anchoredEncodedRegexps[a]

+	if !ok {

+		return ErrDigestUnsupported

+	}

+	// Digests much always be hex-encoded, ensuring that their hex portion will

+	// always be size*2

+	if a.Size()*2 != len(encoded) {

+		return ErrDigestInvalidLength

+	}

+	if r.MatchString(encoded) {

+		return nil

+	}

+	return ErrDigestInvalidFormat

+}

@@ -1,3 +1,17 @@

+// Copyright 2017 Docker, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     https://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

 package digest

 import (

@@ -31,16 +45,21 @@ func NewDigest(alg Algorithm, h hash.Hash) Digest {

 // functions. This is also useful for rebuilding digests from binary

 // serializations.

 func NewDigestFromBytes(alg Algorithm, p []byte) Digest {

-	return Digest(fmt.Sprintf("%s:%x", alg, p))

+	return NewDigestFromEncoded(alg, alg.Encode(p))

 }

-// NewDigestFromHex returns a Digest from alg and a the hex encoded digest.

+// NewDigestFromHex is deprecated. Please use NewDigestFromEncoded.

 func NewDigestFromHex(alg, hex string) Digest {

-	return Digest(fmt.Sprintf("%s:%s", alg, hex))

+	return NewDigestFromEncoded(Algorithm(alg), hex)

+}

+

+// NewDigestFromEncoded returns a Digest from alg and the encoded digest.

+func NewDigestFromEncoded(alg Algorithm, encoded string) Digest {

+	return Digest(fmt.Sprintf("%s:%s", alg, encoded))

 }

 // DigestRegexp matches valid digest types.

-var DigestRegexp = regexp.MustCompile(`[a-zA-Z0-9-_+.]+:[a-fA-F0-9]+`)

+var DigestRegexp = regexp.MustCompile(`[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+`)

 // DigestRegexpAnchored matches valid digest types, anchored to the start and end of the match.

 var DigestRegexpAnchored = regexp.MustCompile(`^` + DigestRegexp.String() + `$`)

@@ -82,26 +101,18 @@ func FromString(s string) Digest {

 // error if not.

 func (d Digest) Validate() error {

 	s := string(d)

-

 	i := strings.Index(s, ":")

-

-	// validate i then run through regexp

-	if i < 0 || i+1 == len(s) || !DigestRegexpAnchored.MatchString(s) {

+	if i <= 0 || i+1 == len(s) {

 		return ErrDigestInvalidFormat

 	}

-

-	algorithm := Algorithm(s[:i])

+	algorithm, encoded := Algorithm(s[:i]), s[i+1:]

 	if !algorithm.Available() {

+		if !DigestRegexpAnchored.MatchString(s) {

+			return ErrDigestInvalidFormat

+		}

 		return ErrDigestUnsupported

 	}

-

-	// Digests much always be hex-encoded, ensuring that their hex portion will

-	// always be size*2

-	if algorithm.Size()*2 != len(s[i+1:]) {

-		return ErrDigestInvalidLength

-	}

-

-	return nil

+	return algorithm.Validate(encoded)

 }

 // Algorithm returns the algorithm portion of the digest. This will panic if

@@ -119,12 +130,17 @@ func (d Digest) Verifier() Verifier {

 	}

 }

-// Hex returns the hex digest portion of the digest. This will panic if the

+// Encoded returns the encoded portion of the digest. This will panic if the

 // underlying digest is not in a valid format.

-func (d Digest) Hex() string {

+func (d Digest) Encoded() string {

 	return string(d[d.sepIndex()+1:])

 }

+// Hex is deprecated. Please use Digest.Encoded.

+func (d Digest) Hex() string {

+	return d.Encoded()

+}

+

 func (d Digest) String() string {

 	return string(d)

 }

@@ -1,3 +1,17 @@

+// Copyright 2017 Docker, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     https://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

 package digest

 import "hash"

@@ -1,3 +1,17 @@

+// Copyright 2017 Docker, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     https://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

 // Package digest provides a generalized type to opaquely represent message

 // digests and their operations within the registry. The Digest type is

 // designed to serve as a flexible identifier in a content-addressable system.

@@ -1,3 +1,17 @@

+// Copyright 2017 Docker, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     https://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

 package digest

 import (