From 903ff0a2806ddcc1973dd111bb98db79842fdf47 Mon Sep 17 00:00:00 2001 From: Vladimir Diaz Date: Thu, 12 Apr 2018 11:43:03 -0400 Subject: [PATCH] Add comment to affected modules... explaining why locally generated keyids use the hashing algorithms specified in metadata's 'keyid_hash_algorithms' field. Signed-off-by: Vladimir Diaz --- tuf/client/updater.py | 3 +++ tuf/keydb.py | 3 +++ tuf/repository_lib.py | 4 ++++ tuf/repository_tool.py | 4 ++++ 4 files changed, 14 insertions(+) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 24a4e498..97681a3f 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -954,6 +954,9 @@ def _import_delegations(self, parent_role): # for the key. try: + # The repo may have used hashing algorithms for the generated keyids + # that doesn't match the client's set of hash algorithms. Make sure + # to only used the repo's selected hashing algorithms. hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms'] key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo) diff --git a/tuf/keydb.py b/tuf/keydb.py index 33ca5e59..c885076e 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -123,6 +123,9 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # default keyid listed in 'key_dict'. The additional keyids are # generated according to securesystemslib.settings.HASH_ALGORITHMS. + # The repo may have used hashing algorithms for the generated keyids that + # doesn't match the client's set of hash algorithms. Make sure to only + # used the repo's selected hashing algorithms. hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms'] key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata) diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 30094234..efbe4409 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -685,6 +685,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): # Add the keys specified in the delegations field of the Targets role. for key_metadata in six.itervalues(targets_metadata['delegations']['keys']): + + # The repo may have used hashing algorithms for the generated keyids + # that doesn't match the client's set of hash algorithms. Make sure + # to only used the repo's selected hashing algorithms. hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms'] key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata) diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 33b9f94b..8d6fcd1b 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -3024,6 +3024,10 @@ def load_repository(repository_directory, repository_name='default'): # The repository maintainer should have also been made aware of the # duplicate key when it was added. for key_metadata in six.itervalues(metadata_object['delegations']['keys']): + + # The repo may have used hashing algorithms for the generated keyids + # that doesn't match the client's set of hash algorithms. Make sure + # to only used the repo's selected hashing algorithms. hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms'] key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)