Skip to content

Commit

Permalink
Make new API compatible with the Signing interface
Browse files Browse the repository at this point in the history
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
  • Loading branch information
MVrachev committed Mar 9, 2021
1 parent 801c5e3 commit 3050fb6
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 15 deletions.
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
python_requires="~=3.6",
install_requires = [
'requests>=2.19.1',
'securesystemslib>=0.18.0',
'securesystemslib>=0.20.0',
'six>=1.11.0'
],
packages = find_packages(exclude=['tests']),
Expand Down
12 changes: 9 additions & 3 deletions tests/test_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@
format_keyval_to_metadata
)

from securesystemslib.signer import (
SSlibSigner
)

logger = logging.getLogger(__name__)


Expand Down Expand Up @@ -153,8 +157,9 @@ def test_sign_verify(self):
self.assertTrue(metadata_obj.verify(
self.keystore['targets']['public']))

sslib_signer = SSlibSigner(self.keystore['snapshot']['private'])
# Append a new signature with the unrelated key and assert that ...
metadata_obj.sign(self.keystore['snapshot']['private'], append=True)
metadata_obj.sign(sslib_signer, append=True)
# ... there are now two signatures, and
self.assertTrue(len(metadata_obj.signatures) == 2)
# ... both are valid for the corresponding keys.
Expand All @@ -163,16 +168,17 @@ def test_sign_verify(self):
self.assertTrue(metadata_obj.verify(
self.keystore['snapshot']['public']))

sslib_signer.key_dict = self.keystore['timestamp']['private']
# Create and assign (don't append) a new signature and assert that ...
metadata_obj.sign(self.keystore['timestamp']['private'], append=False)
metadata_obj.sign(sslib_signer, append=False)
# ... there now is only one signature,
self.assertTrue(len(metadata_obj.signatures) == 1)
# ... valid for that key.
self.assertTrue(metadata_obj.verify(
self.keystore['timestamp']['public']))

# Assert exception if there are more than one signatures for a key
metadata_obj.sign(self.keystore['timestamp']['private'], append=True)
metadata_obj.sign(sslib_signer, append=True)
with self.assertRaises(tuf.exceptions.Error) as ctx:
metadata_obj.verify(self.keystore['timestamp']['public'])
self.assertTrue(
Expand Down
31 changes: 20 additions & 11 deletions tuf/api/metadata.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@
persist_temp_file
)
from securesystemslib.storage import StorageBackendInterface
from securesystemslib.keys import create_signature, verify_signature
from securesystemslib.keys import verify_signature
from securesystemslib.signer import Signer, Signature

import tuf.formats
import tuf.exceptions
Expand Down Expand Up @@ -92,12 +93,14 @@ class also that has a 'from_dict' factory method. (Currently this is
else:
raise ValueError(f'unrecognized metadata type "{_type}"')

# NOTE: If Signature becomes a class, we should iterate over
# metadata['signatures'], call Signature.from_dict for each item, and
# pass a list of Signature objects to the Metadata constructor intead.
signatures = []
for signature in metadata['signatures']:
signature_obj = Signature.from_dict(signature)
signatures.append(signature_obj)

return cls(
signed=inner_cls.from_dict(metadata['signed']),
signatures=metadata['signatures'])
signatures=signatures)


@classmethod
Expand Down Expand Up @@ -146,8 +149,13 @@ def from_json_file(
# Serialization.
def to_dict(self) -> JsonDict:
"""Returns the JSON-serializable dictionary representation of self. """

signatures = []
for sig in self.signatures:
signatures.append(sig.to_dict())

return {
'signatures': self.signatures,
'signatures': signatures,
'signed': self.signed.to_dict()
}

Expand Down Expand Up @@ -184,11 +192,12 @@ def to_json_file(


# Signatures.
def sign(self, key: JsonDict, append: bool = False) -> JsonDict:
def sign(self, signer: Signer, append: bool = False) -> JsonDict:
"""Creates signature over 'signed' and assigns it to 'signatures'.
Arguments:
key: A securesystemslib-style private key object used for signing.
singer: An object implementing the securesystemslib.signer.Signer
interface.
append: A boolean indicating if the signature should be appended to
the list of signatures or replace any existing signatures. The
default behavior is to replace signatures.
Expand All @@ -203,7 +212,7 @@ def sign(self, key: JsonDict, append: bool = False) -> JsonDict:
A securesystemslib-style signature object.
"""
signature = create_signature(key, self.signed.to_canonical_bytes())
signature = signer.sign(self.signed.to_canonical_bytes())

if append:
self.signatures.append(signature)
Expand Down Expand Up @@ -232,7 +241,7 @@ def verify(self, key: JsonDict) -> bool:
"""
signatures_for_keyid = list(filter(
lambda sig: sig['keyid'] == key['keyid'], self.signatures))
lambda sig: sig.keyid == key['keyid'], self.signatures))

if not signatures_for_keyid:
raise tuf.exceptions.Error(
Expand All @@ -244,7 +253,7 @@ def verify(self, key: JsonDict) -> bool:
f'{key["keyid"]}, not sure which one to verify.')

return verify_signature(
key, signatures_for_keyid[0],
key, signatures_for_keyid[0].to_dict(),
self.signed.to_canonical_bytes())


Expand Down

0 comments on commit 3050fb6

Please sign in to comment.