Merge pull request #1734 from MVrachev/securesystemslib-exceptions

Metadata API: Avoid raising securesystemslib exceptions
2026-05-24 10:08:28 +00:00 · 2022-01-27 16:58:10 +01:00 · 2022-01-27 16:58:10 +01:00 · cb7bd6aff9
commit cb7bd6aff9
parent 4de561728e 9533c3f974
3 changed files with 38 additions and 9 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -13,8 +13,9 @@
 import sys
 import tempfile
 import unittest
+from copy import copy
 from datetime import datetime, timedelta
-from typing import ClassVar, Dict
+from typing import Any, ClassVar, Dict

 from securesystemslib import hash as sslib_hash
 from securesystemslib.interface import (
@ -51,7 +52,7 @@ class TestMetadata(unittest.TestCase):
    temporary_directory: ClassVar[str]
    repo_dir: ClassVar[str]
    keystore_dir: ClassVar[str]
-    keystore: ClassVar[Dict[str, str]]
+    keystore: ClassVar[Dict[str, Dict[str, Any]]]

    @classmethod
    def setUpClass(cls) -> None:
@ -126,6 +127,16 @@ def test_generic_read(self) -> None:

        os.remove(bad_metadata_path)

+    def test_md_read_write_file_exceptions(self) -> None:
+        # Test writing to a file with bad filename
+        with self.assertRaises(exceptions.StorageError):
+            Metadata.from_file("bad-metadata.json")
+
+        # Test serializing to a file with bad filename
+        with self.assertRaises(exceptions.StorageError):
+            md = Metadata.from_file(f"{self.repo_dir}/metadata/root.json")
+            md.to_file("")
+
    def test_compact_json(self) -> None:
        path = os.path.join(self.repo_dir, "metadata", "targets.json")
        md_obj = Metadata.from_file(path)
@ -212,6 +223,17 @@ def test_sign_verify(self) -> None:
        with self.assertRaises(exceptions.UnsignedMetadataError):
            targets_key.verify_signature(md_obj)

+    def test_sign_failures(self) -> None:
+        # Test throwing UnsignedMetadataError because of signing problems
+        # related to bad information in the signer.
+        md = Metadata.from_file(f"{self.repo_dir}/metadata/snapshot.json")
+        key_dict = copy(self.keystore[Snapshot.type])
+        key_dict["keytype"] = "rsa"
+        key_dict["scheme"] = "bad_scheme"
+        sslib_signer = SSlibSigner(key_dict)
+        with self.assertRaises(exceptions.UnsignedMetadataError):
+            md.sign(sslib_signer)
+
    def test_verify_failures(self) -> None:
        root_path = os.path.join(self.repo_dir, "metadata", "root.json")
        root = Metadata[Root].from_file(root_path).signed
--- a/tuf/api/exceptions.py
+++ b/tuf/api/exceptions.py
@ -10,6 +10,9 @@

 #### Repository errors ####

+# pylint: disable=unused-import
+from securesystemslib.exceptions import StorageError
+

 class RepositoryError(Exception):
    """An error with a repository's state, such as a missing file.
--- a/tuf/api/metadata.py
+++ b/tuf/api/metadata.py
@ -183,7 +183,7 @@ def from_file(
                a (local) FilesystemBackend is used.

        Raises:
-            securesystemslib.exceptions.StorageError: The file cannot be read.
+            exceptions.StorageError: The file cannot be read.
            tuf.api.serialization.DeserializationError:
                The file cannot be deserialized.

@ -275,8 +275,7 @@ def to_file(
        Raises:
            tuf.api.serialization.SerializationError:
                The metadata object cannot be serialized.
-            securesystemslib.exceptions.StorageError:
-                The file cannot be written.
+            exceptions.StorageError: The file cannot be written.
        """

        bytes_data = self.to_bytes(serializer)
@ -305,9 +304,7 @@ def sign(
        Raises:
            tuf.api.serialization.SerializationError:
                'signed' cannot be serialized.
-            securesystemslib.exceptions.CryptoError, \
-                    securesystemslib.exceptions.UnsupportedAlgorithmError:
-                Signing errors.
+            exceptions.UnsignedMetadataError: Signing errors.

        Returns:
            Securesystemslib Signature object that was added into signatures.
@ -320,7 +317,14 @@ def sign(

            signed_serializer = CanonicalJSONSerializer()

-        signature = signer.sign(signed_serializer.serialize(self.signed))
+        bytes_data = signed_serializer.serialize(self.signed)
+
+        try:
+            signature = signer.sign(bytes_data)
+        except Exception as e:
+            raise exceptions.UnsignedMetadataError(
+                "Problem signing the metadata"
+            ) from e

        if not append:
            self.signatures.clear()