imports: Fix securesystemslib.keys imports

Make them compatible with vendoring, use from securesystemslib import keys as sslib_keys to have the same style as other securesystemslib imports. Note that developer_tool already used a from securesystemslib.keys import ... for some functions so that style was used consistently there. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2026-05-24 10:08:28 +00:00 · 2021-01-12 11:04:59 +02:00 · 2021-01-12 11:04:59 +02:00 · f702fdfd0c
commit f702fdfd0c
parent 79385cc10f
7 changed files with 24 additions and 20 deletions
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@ -133,6 +133,7 @@

 from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import formats as sslib_formats
+from securesystemslib import keys as sslib_keys

 import tuf
 from tuf import download
@ -147,7 +148,6 @@
 import tuf.keydb

 import securesystemslib.hash
-import securesystemslib.keys
 import securesystemslib.util
 import six

@ -967,7 +967,7 @@ def _import_delegations(self, parent_role):
        # We specify the keyid to ensure that it's the correct keyid
        # for the key.
        try:
-          key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid)
+          key, _ = sslib_keys.format_metadata_to_key(keyinfo, keyid)

          tuf.keydb.add_key(key, repository_name=self.repository_name)

@ -1376,7 +1376,7 @@ def _verify_root_self_signed(self, signable):
      # The ANYKEY_SCHEMA check in verify_signature expects the keydict to
      # include a keyid
      key['keyid'] = keyid
-      valid_sig = securesystemslib.keys.verify_signature(key, signature, signed)
+      valid_sig = sslib_keys.verify_signature(key, signature, signed)

      if valid_sig:
        verified_sig_keyids.add(keyid)
--- a/tuf/developer_tool.py
+++ b/tuf/developer_tool.py
@ -53,7 +53,6 @@

 import securesystemslib
 import securesystemslib.util
-import securesystemslib.keys

 import six

@ -76,7 +75,8 @@
    import_rsa_privatekey_from_file)

 from securesystemslib.keys import (
-    format_keyval_to_metadata)
+    format_keyval_to_metadata,
+    format_metadata_to_key)

 from securesystemslib.interface import (
    generate_and_write_rsa_keypair,
@ -859,7 +859,7 @@ def load_project(project_directory, prefix='', new_targets_location=None,
  keydict = project_configuration['public_keys']

  for keyid in keydict:
-    key, junk = securesystemslib.keys.format_metadata_to_key(keydict[keyid])
+    key, junk = format_metadata_to_key(keydict[keyid])
    project.add_verification_key(key)

  # Load the project's metadata.
@ -898,7 +898,7 @@ def load_project(project_directory, prefix='', new_targets_location=None,
      repository_name=repository_name)

  for key_metadata in targets_metadata['delegations']['keys'].values():
-    key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata)
+    key_object, junk = format_metadata_to_key(key_metadata)
    tuf.keydb.add_key(key_object, repository_name=repository_name)

  for role in targets_metadata['delegations']['roles']:
@ -976,7 +976,7 @@ def load_project(project_directory, prefix='', new_targets_location=None,

      # Add the keys specified in the delegations field of the Targets role.
      for key_metadata in metadata_object['delegations']['keys'].values():
-        key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata)
+        key_object, junk = format_metadata_to_key(key_metadata)

        try:
          tuf.keydb.add_key(key_object, repository_name=repository_name)
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@ -47,6 +47,7 @@
 import securesystemslib
 from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import formats as sslib_formats
+from securesystemslib import keys as sslib_keys

 from tuf import exceptions
 from tuf import formats
@ -126,7 +127,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
      # format_metadata_to_key() uses the provided keyid as the default keyid.
      # All other keyids returned are ignored.

-      key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+      key_dict, _ = sslib_keys.format_metadata_to_key(key_metadata,
          keyid)

      # Make sure to update key_dict['keyid'] to use one of the other valid
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@ -41,6 +41,7 @@

 from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import formats as sslib_formats
+from securesystemslib import keys as sslib_keys

 import tuf
 from tuf import exceptions
@ -349,7 +350,7 @@ def _remove_invalid_and_duplicate_signatures(signable, repository_name):
      continue

    # Remove 'signature' from 'signable' if it is an invalid signature.
-    if not securesystemslib.keys.verify_signature(key, signature, signed):
+    if not sslib_keys.verify_signature(key, signature, signed):
      logger.debug('Removing invalid signature for ' + repr(keyid))
      signable['signatures'].remove(signature)

@ -666,7 +667,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
    for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']):

      # Use the keyid found in the delegation
-      key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+      key_object, _ = sslib_keys.format_metadata_to_key(key_metadata,
          keyid)

      # Add 'key_object' to the list of recognized keys.  Keys may be shared,
@ -1863,7 +1864,7 @@ def sign_metadata(metadata_object, keyids, filename, repository_name):
      if 'private' in key['keyval']:
        signed = sslib_formats.encode_canonical(signable['signed']).encode('utf-8')
        try:
-          signature = securesystemslib.keys.create_signature(key, signed)
+          signature = sslib_keys.create_signature(key, signed)
          signable['signatures'].append(signature)

        except Exception:
@ -2298,7 +2299,7 @@ def keys_to_keydict(keys):

  for key in keys:
    keyid = key['keyid']
-    key_metadata_format = securesystemslib.keys.format_keyval_to_metadata(
+    key_metadata_format = sslib_keys.format_keyval_to_metadata(
        key['keytype'], key['scheme'], key['keyval'])

    new_keydict = {keyid: key_metadata_format}
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@ -52,7 +52,6 @@
 from tuf import roledb
 import tuf.repository_lib as repo_lib

-import securesystemslib.keys
 import securesystemslib.util
 import six

@ -89,6 +88,7 @@
    import_ecdsa_privatekey_from_file)

 from securesystemslib.keys import (
+    format_metadata_to_key,
    generate_rsa_key,
    generate_ecdsa_key,
    generate_ed25519_key,
@ -3167,7 +3167,7 @@ def load_repository(repository_directory, repository_name='default',
      # The repo may have used hashing algorithms for the generated keyids
      # that doesn't match the client's set of hash algorithms.  Make sure
      # to only used the repo's selected hashing algorithms.
-      key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata,
+      key_object, keyids = format_metadata_to_key(key_metadata,
          keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
      try:
        for keyid in keyids: # pragma: no branch
--- a/tuf/scripts/repo.py
+++ b/tuf/scripts/repo.py
@ -150,6 +150,7 @@
 import securesystemslib
 from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import formats as sslib_formats
+from securesystemslib import keys as sslib_keys
 from securesystemslib import interface

 import tuf
@ -457,13 +458,13 @@ def import_privatekey_from_file(keypath, password=None):
  # the derived encryption key from 'password'.  Raise
  # 'securesystemslib.exceptions.CryptoError' if the decryption fails.
  try:
-    key_object = securesystemslib.keys.decrypt_key(encrypted_key, password)
+    key_object = sslib_keys.decrypt_key(encrypted_key, password)

  except sslib_exceptions.CryptoError:
    try:
      logger.debug(
          'Decryption failed.  Attempting to import a private PEM instead.')
-      key_object = securesystemslib.keys.import_rsakey_from_private_pem(
+      key_object = sslib_keys.import_rsakey_from_private_pem(
          encrypted_key, 'rsassa-pss-sha256', password)

    except sslib_exceptions.CryptoError as error:
@ -497,7 +498,7 @@ def import_publickey_from_file(keypath):
    key_metadata = securesystemslib.interface.import_rsa_publickey_from_file(
        keypath)

-  key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata)
+  key_object, junk = sslib_keys.format_metadata_to_key(key_metadata)

  if key_object['keytype'] not in SUPPORTED_KEY_TYPES:
    raise exceptions.Error('Trying to import an unsupported key'
--- a/tuf/sig.py
+++ b/tuf/sig.py
@ -53,6 +53,7 @@
 import securesystemslib
 from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import formats as sslib_formats
+from securesystemslib import keys as sslib_keys

 import tuf
 from tuf import exceptions
@ -168,7 +169,7 @@ def get_signature_status(signable, role=None, repository_name='default',

    # Does the signature use an unknown/unsupported signing scheme?
    try:
-      valid_sig = securesystemslib.keys.verify_signature(key, signature, signed)
+      valid_sig = sslib_keys.verify_signature(key, signature, signed)

    except sslib_exceptions.UnsupportedAlgorithmError:
      unknown_signing_schemes.append(keyid)
@ -398,6 +399,6 @@ def generate_rsa_signature(signed, rsakey_dict):

  # Generate the RSA signature.
  # Raises securesystemslib.exceptions.FormatError and TypeError.
-  signature = securesystemslib.keys.create_signature(rsakey_dict, signed)
+  signature = sslib_keys.create_signature(rsakey_dict, signed)

  return signature