Remove client check of the keyid calculation. This check is redundant as the keyid is provided in signed metadata. Removing this check allows the client to avoid use of the keyid_hash_algorithm field during verification. Note that this change requires a small change to the securesystemslib api.

Signed-off-by: marinamoore <mmoore32@calpoly.edu>
This commit is contained in:
marinamoore 2020-03-27 13:24:56 -07:00
parent e095112be7
commit 9fa92e2286

View file

@ -951,18 +951,10 @@ def _import_delegations(self, parent_role):
# We specify the keyid to ensure that it's the correct keyid
# for the key.
try:
key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid)
# The repo may have used hashing algorithms for the generated keyids
# that doesn't match the client's set of hash algorithms. Make sure
# to only used the repo's selected hashing algorithms.
hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
for key_id in keyids:
key['keyid'] = key_id
tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)
key['keyid'] = keyid
tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)
except tuf.exceptions.KeyAlreadyExistsError:
pass