From 71016d7d74ba8de4578636a50d0c762ab8e47730 Mon Sep 17 00:00:00 2001
From: Martin Vrachev <mvrachev@vmware.com>
Date: Tue, 7 Jul 2020 16:41:22 +0300
Subject: [PATCH 1/2] Refactor to use changed format metadata to key

In commit b7a15fdee7dee899c098b01fe64d604635b2b132
or pr https://github.com/secure-systems-lab/securesystemslib/pull/227
in securesystemslib I change the function arguments of the
format_metadata_to_key function in securesystemslib/keys.py
to add the opportunity to use custom keyid hash algorithms without
chainging the securesystemslib.settings.HASH_ALGORITHMS variable.

With this commit, I make use of the above changes in tuf.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
---
 tuf/client/updater.py  | 3 ++-
 tuf/keydb.py           | 3 ++-
 tuf/repository_lib.py  | 3 ++-
 tuf/repository_tool.py | 8 ++------
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/tuf/client/updater.py b/tuf/client/updater.py
index 19d518e6..9565d2c0 100755
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@@ -952,7 +952,8 @@ def _import_delegations(self, parent_role):
         # We specify the keyid to ensure that it's the correct keyid
         # for the key.
         try:
-          key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid)
+          key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid,
+              keyid_hash_algorithms=keyinfo['keyid_hash_algorithms'])
 
           tuf.keydb.add_key(key, repository_name=self.repository_name)
 
diff --git a/tuf/keydb.py b/tuf/keydb.py
index 663d9559..7f768274 100755
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@@ -122,7 +122,8 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
       # format_metadata_to_key() uses the provided keyid as the default keyid.
       # All other keyids returned are ignored.
 
-      key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid)
+      key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
 
       # Make sure to update key_dict['keyid'] to use one of the other valid
       # keyids, otherwise add_key() will have no reference to it.
diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py
index 5a3a4959..765d6ac9 100644
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@@ -645,7 +645,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
     for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']):
 
       # Use the keyid found in the delegation
-      key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid)
+      key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
 
       # Add 'key_object' to the list of recognized keys.  Keys may be shared,
       # so do not raise an exception if 'key_object' has already been loaded.
diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py
index 3a2f4dce..80acad70 100755
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@@ -3187,12 +3187,8 @@ def load_repository(repository_directory, repository_name='default',
       # The repo may have used hashing algorithms for the generated keyids
       # that doesn't match the client's set of hash algorithms.  Make sure
       # to only used the repo's selected hashing algorithms.
-      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
-      securesystemslib.settings.HASH_ALGORITHMS = \
-          key_metadata['keyid_hash_algorithms']
-      key_object, keyids = \
-          securesystemslib.keys.format_metadata_to_key(key_metadata)
-      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
+      key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
       try:
         for keyid in keyids: # pragma: no branch
           key_object['keyid'] = keyid

From 7a828ea7165e4860a50f67c46f368580594ed019 Mon Sep 17 00:00:00 2001
From: Martin Vrachev <mvrachev@vmware.com>
Date: Tue, 18 Aug 2020 17:42:30 +0300
Subject: [PATCH 2/2] Bump securesyslib to 0.16.0 in setup.py

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 2bc45183..396edc43 100755
--- a/setup.py
+++ b/setup.py
@@ -117,7 +117,7 @@
     'iso8601>=0.1.12',
     'requests>=2.19.1',
     'six>=1.11.0',
-    'securesystemslib>=0.15.0'
+    'securesystemslib>=0.16.0'
   ],
   tests_require = [
     'mock; python_version < "3.3"'