From 9fa92e22865b2ba4e164493564042cf3ca778bee Mon Sep 17 00:00:00 2001 From: marinamoore Date: Fri, 27 Mar 2020 13:24:56 -0700 Subject: [PATCH 01/12] Remove client check of the keyid calculation. This check is redundant as the keyid is provided in signed metadata. Removing this check allows the client to avoid use of the keyid_hash_algorithm field during verification. Note that this change requires a small change to the securesystemslib api. Signed-off-by: marinamoore --- tuf/client/updater.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 36b14f1c..b005e6a1 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -951,18 +951,10 @@ def _import_delegations(self, parent_role): # We specify the keyid to ensure that it's the correct keyid # for the key. try: + key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) - # The repo may have used hashing algorithms for the generated keyids - # that doesn't match the client's set of hash algorithms. Make sure - # to only used the repo's selected hashing algorithms. - hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS - securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms'] - key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo) - securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms - - for key_id in keyids: - key['keyid'] = key_id - tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) + key['keyid'] = keyid + tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) except tuf.exceptions.KeyAlreadyExistsError: pass From 0bdc78d2ad5949f78905c6e62448a44f549978d5 Mon Sep 17 00:00:00 2001 From: marinamoore Date: Wed, 1 Apr 2020 16:01:14 -0700 Subject: [PATCH 02/12] Replace use of keyid_hash_algorithms in keydb by using the provided keyid. Check that this keyid matches the keyid listed in the key for consistent behavior. Signed-off-by: marinamoore --- tuf/keydb.py | 37 +++++++++++++++---------------------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/tuf/keydb.py b/tuf/keydb.py index 8011719f..9a01be46 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -113,36 +113,29 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # Iterate the keys found in 'root_metadata' by converting them to # 'RSAKEY_SCHEMA' if their type is 'rsa', and then adding them to the - # key database. - for junk, key_metadata in six.iteritems(root_metadata['keys']): + # key database using the provided keyid. + for keyid, key_metadata in six.iteritems(root_metadata['keys']): if key_metadata['keytype'] in _SUPPORTED_KEY_TYPES: # 'key_metadata' is stored in 'KEY_SCHEMA' format. Call # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA' format, - # which is the format expected by 'add_key()'. Note: The 'keyids' - # returned by format_metadata_to_key() include keyids in addition to the - # default keyid listed in 'key_dict'. The additional keyids are - # generated according to securesystemslib.settings.HASH_ALGORITHMS. + # which is the format expected by 'add_key()'. Note: This call to + # format_metadata_to_key() uses the provided keyid as the default keyid. + # All other keyids returned are ignored. - # The repo may have used hashing algorithms for the generated keyids that - # doesn't match the client's set of hash algorithms. Make sure to only - # used the repo's selected hashing algorithms. - hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS - securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms'] - key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata) - securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms + if (keyid == key_metadata['keyid']): + key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) - try: - for keyid in keyids: - # Make sure to update key_dict['keyid'] to use one of the other valid - # keyids, otherwise add_key() will have no reference to it. + # Make sure to update key_dict['keyid'] to use one of the other valid + # keyids, otherwise add_key() will have no reference to it. + try: key_dict['keyid'] = keyid add_key(key_dict, keyid=None, repository_name=repository_name) - # Although keyid duplicates should *not* occur (unique dict keys), log a - # warning and continue. However, 'key_dict' may have already been - # adding to the keydb elsewhere. - except tuf.exceptions.KeyAlreadyExistsError as e: # pragma: no cover - logger.warning(e) + # Although keyid duplicates should *not* occur (unique dict keys), log a + # warning and continue. However, 'key_dict' may have already been + # adding to the keydb elsewhere. + except tuf.exceptions.KeyAlreadyExistsError as e: # pragma: no cover + logger.warning(e) continue else: From c84ffafc157d764fda1ac8041a7ca411895dcc9a Mon Sep 17 00:00:00 2001 From: marinamoore Date: Wed, 1 Apr 2020 16:13:52 -0700 Subject: [PATCH 03/12] fix Signed-off-by: marinamoore --- tuf/keydb.py | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/tuf/keydb.py b/tuf/keydb.py index 9a01be46..f46c0fb4 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -122,20 +122,19 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # format_metadata_to_key() uses the provided keyid as the default keyid. # All other keyids returned are ignored. - if (keyid == key_metadata['keyid']): - key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) + key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) - # Make sure to update key_dict['keyid'] to use one of the other valid - # keyids, otherwise add_key() will have no reference to it. - try: - key_dict['keyid'] = keyid - add_key(key_dict, keyid=None, repository_name=repository_name) + # Make sure to update key_dict['keyid'] to use one of the other valid + # keyids, otherwise add_key() will have no reference to it. + try: + key_dict['keyid'] = keyid + add_key(key_dict, keyid=None, repository_name=repository_name) - # Although keyid duplicates should *not* occur (unique dict keys), log a - # warning and continue. However, 'key_dict' may have already been - # adding to the keydb elsewhere. - except tuf.exceptions.KeyAlreadyExistsError as e: # pragma: no cover - logger.warning(e) + # Although keyid duplicates should *not* occur (unique dict keys), log a + # warning and continue. However, 'key_dict' may have already been + # adding to the keydb elsewhere. + except tuf.exceptions.KeyAlreadyExistsError as e: # pragma: no cover + logger.warning(e) continue else: From 3c78d675189fc13163195e183feab5d1656ac5e3 Mon Sep 17 00:00:00 2001 From: marinamoore Date: Wed, 1 Apr 2020 16:26:16 -0700 Subject: [PATCH 04/12] update tests so that keyids do not have to be verified Signed-off-by: marinamoore --- tests/test_keydb.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/test_keydb.py b/tests/test_keydb.py index b63a3eb5..06db9118 100755 --- a/tests/test_keydb.py +++ b/tests/test_keydb.py @@ -389,10 +389,16 @@ def test_create_keydb_from_root_metadata(self): # Ensure only 'keyid2' was added to the keydb database. 'keyid' and # 'keyid3' should not be stored. + self.maxDiff = None self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2)) - self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid) + + test_key = rsakey2 + test_key['keyid'] = keyid + self.assertEqual(test_key, tuf.keydb.get_key(keyid)) self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3) + rsakey3['keytype'] = 'rsa' + rsakey2['keyid'] = keyid2 From 68bb55c6614757f98e9fea7a4a9b749169cf8196 Mon Sep 17 00:00:00 2001 From: marinamoore Date: Thu, 2 Apr 2020 14:51:29 -0700 Subject: [PATCH 05/12] Remove the use of keyid_hash_algorithms in repository_lib by using the keyid provided in the delegation. Note that this requires a change to securesystems lib. Signed-off-by: marinamoore --- tuf/repository_lib.py | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 6c77af37..cc4da9fd 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -683,15 +683,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): repository_name=repository_name) # Add the keys specified in the delegations field of the Targets role. - for key_metadata in six.itervalues(targets_metadata['delegations']['keys']): + for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']): - # The repo may have used hashing algorithms for the generated keyids - # that doesn't match the client's set of hash algorithms. Make sure - # to only used the repo's selected hashing algorithms. - hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS - securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms'] - key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata) - securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms + # Use the keyid found in the delegation + key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) # Add 'key_object' to the list of recognized keys. Keys may be shared, # so do not raise an exception if 'key_object' has already been loaded. @@ -700,10 +695,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): # repository maintainer should have also been made aware of the duplicate # key when it was added. try: - for keyid in keyids: #pragma: no branch - key_object['keyid'] = keyid - tuf.keydb.add_key(key_object, keyid=None, - repository_name=repository_name) + key_object['keyid'] = keyid + tuf.keydb.add_key(key_object, keyid=None, repository_name=repository_name) except tuf.exceptions.KeyAlreadyExistsError: pass From ed2c597f490ce28f45584040ae8b96198973a1d7 Mon Sep 17 00:00:00 2001 From: marinamoore Date: Fri, 17 Jul 2020 10:53:41 -0700 Subject: [PATCH 06/12] improve comments in keydb tests and add future test for duplicate key Signed-off-by: marinamoore --- tests/test_keydb.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/test_keydb.py b/tests/test_keydb.py index 06db9118..d4064578 100755 --- a/tests/test_keydb.py +++ b/tests/test_keydb.py @@ -43,7 +43,7 @@ # Generate the three keys to use in our test cases. KEYS = [] -for junk in range(3): +for junk in range(4): rsa_key = securesystemslib.keys.generate_rsa_key(2048) rsa_key['keyid_hash_algorithms'] = securesystemslib.settings.HASH_ALGORITHMS KEYS.append(rsa_key) @@ -365,6 +365,7 @@ def test_create_keydb_from_root_metadata(self): tuf.keydb.clear_keydb() # 'keyid' does not match 'rsakey2'. + # In this case, the key will be added to the keydb keydict[keyid] = rsakey2 # Key with invalid keytype. @@ -372,6 +373,12 @@ def test_create_keydb_from_root_metadata(self): keyid3 = KEYS[2]['keyid'] rsakey3['keytype'] = 'bad_keytype' keydict[keyid3] = rsakey3 + + # New key with a duplicate keyid + #rsakey4 = KEYS[1] + #keyid4 = KEYS[3]['keyid'] + #keydict[keyid4] = rsakey4 + version = 8 expires = '1985-10-21T01:21:00Z' @@ -387,16 +394,19 @@ def test_create_keydb_from_root_metadata(self): self.assertEqual(None, tuf.keydb.create_keydb_from_root_metadata(root_metadata)) - # Ensure only 'keyid2' was added to the keydb database. 'keyid' and - # 'keyid3' should not be stored. + # Ensure only 'keyid2' and 'keyid' were added to the keydb database. + # 'keyid3' and 'keyid4' should not be stored. self.maxDiff = None self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2)) test_key = rsakey2 test_key['keyid'] = keyid self.assertEqual(test_key, tuf.keydb.get_key(keyid)) - self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3) + self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3) + #self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid4) + + # reset values rsakey3['keytype'] = 'rsa' rsakey2['keyid'] = keyid2 From 86f4436dbffb3da4fa664d3bdeff8583452c1d4c Mon Sep 17 00:00:00 2001 From: marinamoore Date: Fri, 17 Jul 2020 11:28:47 -0700 Subject: [PATCH 07/12] update test to not use keyid_hash_algorithms Signed-off-by: marinamoore --- tests/test_updater.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/test_updater.py b/tests/test_updater.py index 2947b4d1..a62951fd 100644 --- a/tests/test_updater.py +++ b/tests/test_updater.py @@ -354,7 +354,7 @@ def test_1__rebuild_key_and_role_db(self): # 'targets.json' are also loaded when the repository object is # instantiated. - self.assertEqual(number_of_root_keys * 2 + 2, len(tuf.keydb._keydb_dict[self.repository_name])) + self.assertEqual(number_of_root_keys + 1, len(tuf.keydb._keydb_dict[self.repository_name])) # Test: normal case. self.repository_updater._rebuild_key_and_role_db() @@ -365,7 +365,7 @@ def test_1__rebuild_key_and_role_db(self): # _rebuild_key_and_role_db() will only rebuild the keys and roles specified # in the 'root.json' file, unlike __init__(). Instantiating an updater # object calls both _rebuild_key_and_role_db() and _import_delegations(). - self.assertEqual(number_of_root_keys * 2, len(tuf.keydb._keydb_dict[self.repository_name])) + self.assertEqual(number_of_root_keys, len(tuf.keydb._keydb_dict[self.repository_name])) # Test: properly updated roledb and keydb dicts if the Root role changes. root_metadata = self.repository_updater.metadata['current']['root'] @@ -376,7 +376,7 @@ def test_1__rebuild_key_and_role_db(self): root_roleinfo = tuf.roledb.get_roleinfo('root', self.repository_name) self.assertEqual(root_roleinfo['threshold'], 8) - self.assertEqual(number_of_root_keys * 2 - 2, len(tuf.keydb._keydb_dict[self.repository_name])) + self.assertEqual(number_of_root_keys - 1, len(tuf.keydb._keydb_dict[self.repository_name])) @@ -560,7 +560,7 @@ def test_2__import_delegations(self): # Take into account the number of keyids algorithms supported by default, # which this test condition expects to be two (sha256 and sha512). - self.assertEqual(4 * 2, len(tuf.keydb._keydb_dict[repository_name])) + self.assertEqual(4, len(tuf.keydb._keydb_dict[repository_name])) # Test: pass a role without delegations. self.repository_updater._import_delegations('root') @@ -569,8 +569,8 @@ def test_2__import_delegations(self): # checking the number of elements in the dictionaries. self.assertEqual(len(tuf.roledb._roledb_dict[repository_name]), 4) # Take into account the number of keyid hash algorithms, which this - # test condition expects to be two (for sha256 and sha512). - self.assertEqual(len(tuf.keydb._keydb_dict[repository_name]), 4 * 2) + # test condition expects to be one + self.assertEqual(len(tuf.keydb._keydb_dict[repository_name]), 4) # Test: normal case, first level delegation. self.repository_updater._import_delegations('targets') @@ -578,7 +578,7 @@ def test_2__import_delegations(self): self.assertEqual(len(tuf.roledb._roledb_dict[repository_name]), 5) # The number of root keys (times the number of key hash algorithms) + # delegation's key (+1 for its sha512 keyid). - self.assertEqual(len(tuf.keydb._keydb_dict[repository_name]), 4 * 2 + 2) + self.assertEqual(len(tuf.keydb._keydb_dict[repository_name]), 4 + 1) # Verify that roledb dictionary was added. self.assertTrue('role1' in tuf.roledb._roledb_dict[repository_name]) From 47120e45bff8876fe9ee7322ececbab79548426c Mon Sep 17 00:00:00 2001 From: marinamoore Date: Tue, 21 Jul 2020 10:12:49 -0700 Subject: [PATCH 08/12] remove unused variable Signed-off-by: marinamoore --- tuf/client/updater.py | 2 +- tuf/keydb.py | 2 +- tuf/repository_lib.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index b005e6a1..20e95f64 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -951,7 +951,7 @@ def _import_delegations(self, parent_role): # We specify the keyid to ensure that it's the correct keyid # for the key. try: - key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) + key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) key['keyid'] = keyid tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) diff --git a/tuf/keydb.py b/tuf/keydb.py index f46c0fb4..b3fb3eb4 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -122,7 +122,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # format_metadata_to_key() uses the provided keyid as the default keyid. # All other keyids returned are ignored. - key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) + key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) # Make sure to update key_dict['keyid'] to use one of the other valid # keyids, otherwise add_key() will have no reference to it. diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index cc4da9fd..0a7aa3a6 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -686,7 +686,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']): # Use the keyid found in the delegation - key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) + key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) # Add 'key_object' to the list of recognized keys. Keys may be shared, # so do not raise an exception if 'key_object' has already been loaded. From 902beb593ff6cfeea0046e3ee4762b2a0595d651 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Thu, 23 Jul 2020 09:44:08 -0700 Subject: [PATCH 09/12] Apply suggestions from code review Co-authored-by: Joshua Lock Signed-off-by: marinamoore --- tuf/client/updater.py | 2 +- tuf/keydb.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 20e95f64..a3045b78 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -954,7 +954,7 @@ def _import_delegations(self, parent_role): key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) key['keyid'] = keyid - tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) + tuf.keydb.add_key(key, repository_name=self.repository_name) except tuf.exceptions.KeyAlreadyExistsError: pass diff --git a/tuf/keydb.py b/tuf/keydb.py index b3fb3eb4..26b403e0 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -128,7 +128,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # keyids, otherwise add_key() will have no reference to it. try: key_dict['keyid'] = keyid - add_key(key_dict, keyid=None, repository_name=repository_name) + add_key(key_dict, repository_name=repository_name) # Although keyid duplicates should *not* occur (unique dict keys), log a # warning and continue. However, 'key_dict' may have already been From e283fa1dd3f76449e9d5396e8f3c2a744176793b Mon Sep 17 00:00:00 2001 From: marinamoore Date: Thu, 23 Jul 2020 09:51:32 -0700 Subject: [PATCH 10/12] remove redundant setting of keyid after calls to format_metadata_to_key Signed-off-by: marinamoore --- tuf/client/updater.py | 1 - tuf/keydb.py | 1 - tuf/repository_lib.py | 1 - 3 files changed, 3 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index a3045b78..db8949f7 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -953,7 +953,6 @@ def _import_delegations(self, parent_role): try: key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) - key['keyid'] = keyid tuf.keydb.add_key(key, repository_name=self.repository_name) except tuf.exceptions.KeyAlreadyExistsError: diff --git a/tuf/keydb.py b/tuf/keydb.py index 26b403e0..663d9559 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -127,7 +127,6 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # Make sure to update key_dict['keyid'] to use one of the other valid # keyids, otherwise add_key() will have no reference to it. try: - key_dict['keyid'] = keyid add_key(key_dict, repository_name=repository_name) # Although keyid duplicates should *not* occur (unique dict keys), log a diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 0a7aa3a6..93f8197f 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -695,7 +695,6 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): # repository maintainer should have also been made aware of the duplicate # key when it was added. try: - key_object['keyid'] = keyid tuf.keydb.add_key(key_object, keyid=None, repository_name=repository_name) except tuf.exceptions.KeyAlreadyExistsError: From 376590d4e82ecf93e40157a7178ed27e5bb254fe Mon Sep 17 00:00:00 2001 From: marinamoore Date: Thu, 23 Jul 2020 09:52:41 -0700 Subject: [PATCH 11/12] remove unused test Signed-off-by: marinamoore --- tests/test_keydb.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/test_keydb.py b/tests/test_keydb.py index d4064578..8329a64f 100755 --- a/tests/test_keydb.py +++ b/tests/test_keydb.py @@ -374,11 +374,6 @@ def test_create_keydb_from_root_metadata(self): rsakey3['keytype'] = 'bad_keytype' keydict[keyid3] = rsakey3 - # New key with a duplicate keyid - #rsakey4 = KEYS[1] - #keyid4 = KEYS[3]['keyid'] - #keydict[keyid4] = rsakey4 - version = 8 expires = '1985-10-21T01:21:00Z' @@ -404,7 +399,6 @@ def test_create_keydb_from_root_metadata(self): self.assertEqual(test_key, tuf.keydb.get_key(keyid)) self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3) - #self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid4) # reset values rsakey3['keytype'] = 'rsa' From f96cf50882ac4ea206e882a3952737937dabaf8b Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Tue, 28 Jul 2020 06:52:59 -0700 Subject: [PATCH 12/12] Apply suggestions from code review Co-authored-by: Joshua Lock Signed-off-by: marinamoore --- tests/test_keydb.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_keydb.py b/tests/test_keydb.py index 8329a64f..d9ef148d 100755 --- a/tests/test_keydb.py +++ b/tests/test_keydb.py @@ -43,7 +43,7 @@ # Generate the three keys to use in our test cases. KEYS = [] -for junk in range(4): +for junk in range(3): rsa_key = securesystemslib.keys.generate_rsa_key(2048) rsa_key['keyid_hash_algorithms'] = securesystemslib.settings.HASH_ALGORITHMS KEYS.append(rsa_key) @@ -390,7 +390,7 @@ def test_create_keydb_from_root_metadata(self): self.assertEqual(None, tuf.keydb.create_keydb_from_root_metadata(root_metadata)) # Ensure only 'keyid2' and 'keyid' were added to the keydb database. - # 'keyid3' and 'keyid4' should not be stored. + # 'keyid3' should not be stored. self.maxDiff = None self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))