Merge pull request #686 from vladimir-v-diaz/gen_local_keyids_according_to_metadata

Generate local keyids by using the hashing algorithms selected by the repo

tuf/client/updater.py

@@ -953,7 +953,15 @@ def _import_delegations(self, parent_role):
         # We specify the keyid to ensure that it's the correct keyid
         # for the key.
         try:
+
+          # The repo may have used hashing algorithms for the generated keyids
+          # that doesn't match the client's set of hash algorithms.  Make sure
+          # to only used the repo's selected hashing algorithms.
+          hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+          securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
           key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
+          securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
+
           for key_id in keyids:
             key['keyid'] = key_id
             tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)

tuf/keydb.py

@@ -117,12 +117,19 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
   for junk, key_metadata in six.iteritems(root_metadata['keys']):
     if key_metadata['keytype'] in _SUPPORTED_KEY_TYPES:
       # 'key_metadata' is stored in 'KEY_SCHEMA' format.  Call
-      # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA'
-      # format, which is the format expected by 'add_key()'.  Note:
-      # The 'keyids' returned by format_metadata_to_key() include keyids in
-      # addition to the default keyid listed in 'key_dict'.  The additional
-      # keyids are generated according to settings.REPOSITORY_HASH_ALGORITHMS.
+      # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA' format,
+      # which is the format expected by 'add_key()'.  Note: The 'keyids'
+      # returned by format_metadata_to_key() include keyids in addition to the
+      # default keyid listed in 'key_dict'.  The additional keyids are
+      # generated according to securesystemslib.settings.HASH_ALGORITHMS.
+
+      # The repo may have used hashing algorithms for the generated keyids that
+      # doesn't match the client's set of hash algorithms.  Make sure to only
+      # used the repo's selected hashing algorithms.
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
 
       try:
         for keyid in keyids:

tuf/repository_lib.py

@@ -685,7 +685,14 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
 
     # Add the keys specified in the delegations field of the Targets role.
     for key_metadata in six.itervalues(targets_metadata['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
 
       # Add 'key_object' to the list of recognized keys.  Keys may be shared,
       # so do not raise an exception if 'key_object' has already been loaded.

tuf/repository_tool.py

@@ -3024,7 +3024,14 @@ def load_repository(repository_directory, repository_name='default'):
     # The repository maintainer should have also been made aware of the
     # duplicate key when it was added.
     for key_metadata in six.itervalues(metadata_object['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
       try:
         for keyid in keyids: # pragma: no branch
           key_object['keyid'] = keyid