From cde0e2249efa9621ca3fef99b636900c1e29a9e3 Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 12 Apr 2018 11:29:27 -0400
Subject: [PATCH 1/5] Make sure the locally generated keyids match metadata's:
 keydb.py

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/keydb.py | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/tuf/keydb.py b/tuf/keydb.py
index 05c05001..33ca5e59 100755
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@@ -117,12 +117,16 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
   for junk, key_metadata in six.iteritems(root_metadata['keys']):
     if key_metadata['keytype'] in _SUPPORTED_KEY_TYPES:
       # 'key_metadata' is stored in 'KEY_SCHEMA' format.  Call
-      # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA'
-      # format, which is the format expected by 'add_key()'.  Note:
-      # The 'keyids' returned by format_metadata_to_key() include keyids in
-      # addition to the default keyid listed in 'key_dict'.  The additional
-      # keyids are generated according to settings.REPOSITORY_HASH_ALGORITHMS.
+      # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA' format,
+      # which is the format expected by 'add_key()'.  Note: The 'keyids'
+      # returned by format_metadata_to_key() include keyids in addition to the
+      # default keyid listed in 'key_dict'.  The additional keyids are
+      # generated according to securesystemslib.settings.HASH_ALGORITHMS.
+
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
 
       try:
         for keyid in keyids:

From c4d10295f532e46dea7fc0bef6c16cc88d07782e Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 12 Apr 2018 11:30:01 -0400
Subject: [PATCH 2/5] Make sure the locally generated keyids match metadata's:
 repository_lib.py

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/repository_lib.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py
index e0e08dcf..30094234 100755
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@@ -685,7 +685,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
 
     # Add the keys specified in the delegations field of the Targets role.
     for key_metadata in six.itervalues(targets_metadata['delegations']['keys']):
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
 
       # Add 'key_object' to the list of recognized keys.  Keys may be shared,
       # so do not raise an exception if 'key_object' has already been loaded.

From 9a1774bc611d7026a0a485259de01fec4eedcf7b Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 12 Apr 2018 11:30:30 -0400
Subject: [PATCH 3/5] Make sure the locally generated keyids match metadata's:
 repository_tool.py

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/repository_tool.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py
index a4fa7779..33b9f94b 100755
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@@ -3024,7 +3024,10 @@ def load_repository(repository_directory, repository_name='default'):
     # The repository maintainer should have also been made aware of the
     # duplicate key when it was added.
     for key_metadata in six.itervalues(metadata_object['delegations']['keys']):
+      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
+      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
       try:
         for keyid in keyids: # pragma: no branch
           key_object['keyid'] = keyid

From 55d368d9d4309ca3b681048447b7005dca08cac4 Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 12 Apr 2018 11:31:00 -0400
Subject: [PATCH 4/5] Make sure the locally generated keyids match metadata's:
 updater.py

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/client/updater.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tuf/client/updater.py b/tuf/client/updater.py
index 87210fb5..24a4e498 100755
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@@ -953,7 +953,12 @@ def _import_delegations(self, parent_role):
         # We specify the keyid to ensure that it's the correct keyid
         # for the key.
         try:
+
+          hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
+          securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
           key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
+          securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
+
           for key_id in keyids:
             key['keyid'] = key_id
             tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)

From 903ff0a2806ddcc1973dd111bb98db79842fdf47 Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 12 Apr 2018 11:43:03 -0400
Subject: [PATCH 5/5] Add comment to affected modules...

explaining why locally generated keyids use the hashing algorithms specified in metadata's 'keyid_hash_algorithms' field.

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/client/updater.py  | 3 +++
 tuf/keydb.py           | 3 +++
 tuf/repository_lib.py  | 4 ++++
 tuf/repository_tool.py | 4 ++++
 4 files changed, 14 insertions(+)

diff --git a/tuf/client/updater.py b/tuf/client/updater.py
index 24a4e498..97681a3f 100755
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@@ -954,6 +954,9 @@ def _import_delegations(self, parent_role):
         # for the key.
         try:
 
+          # The repo may have used hashing algorithms for the generated keyids
+          # that doesn't match the client's set of hash algorithms.  Make sure
+          # to only used the repo's selected hashing algorithms.
           hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
           securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
           key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
diff --git a/tuf/keydb.py b/tuf/keydb.py
index 33ca5e59..c885076e 100755
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@@ -123,6 +123,9 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
       # default keyid listed in 'key_dict'.  The additional keyids are
       # generated according to securesystemslib.settings.HASH_ALGORITHMS.
 
+      # The repo may have used hashing algorithms for the generated keyids that
+      # doesn't match the client's set of hash algorithms.  Make sure to only
+      # used the repo's selected hashing algorithms.
       hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
       securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py
index 30094234..efbe4409 100755
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@@ -685,6 +685,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
 
     # Add the keys specified in the delegations field of the Targets role.
     for key_metadata in six.itervalues(targets_metadata['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
       hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
       securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py
index 33b9f94b..8d6fcd1b 100755
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@@ -3024,6 +3024,10 @@ def load_repository(repository_directory, repository_name='default'):
     # The repository maintainer should have also been made aware of the
     # duplicate key when it was added.
     for key_metadata in six.itervalues(metadata_object['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
       hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
       securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
       key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)