From 9fa92e22865b2ba4e164493564042cf3ca778bee Mon Sep 17 00:00:00 2001 From: marinamoore Date: Fri, 27 Mar 2020 13:24:56 -0700 Subject: [PATCH] Remove client check of the keyid calculation. This check is redundant as the keyid is provided in signed metadata. Removing this check allows the client to avoid use of the keyid_hash_algorithm field during verification. Note that this change requires a small change to the securesystemslib api. Signed-off-by: marinamoore --- tuf/client/updater.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 36b14f1c..b005e6a1 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -951,18 +951,10 @@ def _import_delegations(self, parent_role): # We specify the keyid to ensure that it's the correct keyid # for the key. try: + key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) - # The repo may have used hashing algorithms for the generated keyids - # that doesn't match the client's set of hash algorithms. Make sure - # to only used the repo's selected hashing algorithms. - hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS - securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms'] - key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo) - securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms - - for key_id in keyids: - key['keyid'] = key_id - tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) + key['keyid'] = keyid + tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name) except tuf.exceptions.KeyAlreadyExistsError: pass