Update for FIPS Compliance (#3291)

* Update md5 to sha256 for FIPS compliance

* Update md5 to sha256 for FIPS compliance

* Update md5 to sha256 for FIPS compliance

* Update api.py

* Adapt url encoding in test_to_url. It changed because the specification changed due to the different hash algorithm which is used for the dataset name

* Truncate hash value to be same size as md5

* Truncate sha256 hash to match md5 hash length

* Truncate sha256 to match md5 hash size

* Truncate sha265 hash to be same size as md5

* update test

* add change note

---------

Co-authored-by: Stefan Binder <binder_stefan@outlook.com>
Co-authored-by: mattijn <mattijn@gmail.com>

altair/utils/data.py

@@ -257,7 +257,7 @@ def check_data_type(data: DataType) -> None:
 # Private utilities
 # ==============================================================================
 def _compute_data_hash(data_str: str) -> str:
-    return hashlib.md5(data_str.encode()).hexdigest()
+    return hashlib.sha256(data_str.encode()).hexdigest()[:32]
 
 
 def _data_to_json_string(data: DataType) -> str:

altair/vegalite/v5/api.py

@@ -57,7 +57,7 @@ def _dataset_name(values: Union[dict, list, core.InlineDataset]) -> str:
     if values == [{}]:
         return "empty"
     values_json = json.dumps(values, sort_keys=True)
-    hsh = hashlib.md5(values_json.encode()).hexdigest()
+    hsh = hashlib.sha256(values_json.encode()).hexdigest()[:32]
     return "data-" + hsh
 
 

doc/releases/changes.rst

@@ -8,10 +8,14 @@ Version 5.3.0 (unreleased month day, year)
 
 Enhancements
 ~~~~~~~~~~~~
+- Support restrictive FIPS-compliant environment (#3291)
+
 Bug Fixes
 ~~~~~~~~~
+
 Backward-Incompatible Changes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+- Changed hash function from ``md5`` to a truncated ``sha256`` non-cryptograhic hash (#3291)
 
 Version 5.2.0 (released Nov 28, 2023)
 -------------------------------------------

sphinxext/altairgallery.py

@@ -166,7 +166,7 @@ def save_example_pngs(examples, image_dir, make_thumbnails=True):
         filename = example["name"] + (".svg" if example["use_svg"] else ".png")
         image_file = os.path.join(image_dir, filename)
 
-        example_hash = hashlib.md5(example["code"].encode()).hexdigest()
+        example_hash = hashlib.sha256(example["code"].encode()).hexdigest()[:32]
         hashes_match = hashes.get(filename, "") == example_hash
 
         if hashes_match and os.path.exists(image_file):

sphinxext/utils.py

@@ -193,8 +193,8 @@ def dict_hash(dct):
     serialized = json.dumps(dct, sort_keys=True)
 
     try:
-        m = hashlib.md5(serialized)
+        m = hashlib.sha256(serialized)[:32]
     except TypeError:
-        m = hashlib.md5(serialized.encode())
+        m = hashlib.sha256(serialized.encode())[:32]
 
     return m.hexdigest()

tests/vegalite/v5/test_api.py

@@ -382,14 +382,7 @@ def test_save_html(basic_chart, inline):
 
 def test_to_url(basic_chart):
     share_url = basic_chart.to_url()
-    expected_vegalite_encoding = (
-        "N4Igxg9gdgZglgcxALlANzgUwO4tJKAFzigFcJSBnAdTgBNCALFAZgAY2AacaYsiygAlMiRoVYcAvpO5"
-        "0AhoTl4QUOQFtMKEPMUBaMACY5LTAA4AnACM55ugFY6ARgBspgOz2zh03Wfs5bCwsIDIganIATgDWyoQ"
-        "AngAOmsgg1hEh3JhQkHQkSKggAB7K8JgANnRaStzxSVpQEGokcmUZIHElWBValiA1ickgAI6kckRwisR"
-        "omtLcACSUYIyY4VpihAmUyAD029MIcgB0CBOMpJaHcBDbi8vhe5gHumUTmHt2hy6HLIcAVpTQPraBRyS"
-        "iYQiUZQ6OT6IwmCzWWwOFzuTymby+fyBYLIADaoCUKQAgkDesgDKYZAStAAhUkoOx2KkgQkgADC9OQABY"
-        "WMzWQARTnmRx8rQAUU5phFnGpKQAYpy7LyZSytABxTmOcyilKCSVuHUgACSioMkgAutIgA"
-    )
+    expected_vegalite_encoding = "N4Igxg9gdgZglgcxALlANzgUwO4tJKAFzigFcJSBnAdTgBNCALFAZgAY2AacaYsiygAlMiRoVYcAvpO50AhoTl4QUOQFtMKEPMUBaAOwA2ABwAWFi1NyTcgEb7TtuabAswc-XTZhMczLdNDAEYQGRA1OQAnAGtlQgBPAAdNZBAnSNDuTChIOhIkVBAAD2V4TAAbOi0lbgTkrSgINRI5csyQeNKsSq1bEFqklJAAR1I5IjhFYjRNaW4AEkowRkwIrTFCRMpkAHodmYQ5ADoEScZSWyO4CB2llYj9zEPdcsnMfYBWI6DDI5YjgBWlGg-W0CjklEwhEoyh0cgMJnMlmsxjsDicLjcHi8Pj8AWCKAA2qAlKkAIKgvrIABMxhkJK0ACFKSgPh96SBSSAAMIs5DmDlcgAifIAnEFBVoAKJ84wSzgM1IAMT5HxYktSAHE+UFRRqQIJZfp9QBJVXUyQAXWkQA"
 
     assert (
         share_url