From f702fdfd0cc240f2f304cab6c7b46db6e0fc0662 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 12 Jan 2021 11:04:59 +0200 Subject: [PATCH] imports: Fix securesystemslib.keys imports Make them compatible with vendoring, use from securesystemslib import keys as sslib_keys to have the same style as other securesystemslib imports. Note that developer_tool already used a from securesystemslib.keys import ... for some functions so that style was used consistently there. Signed-off-by: Jussi Kukkonen --- tuf/client/updater.py | 6 +++--- tuf/developer_tool.py | 10 +++++----- tuf/keydb.py | 3 ++- tuf/repository_lib.py | 9 +++++---- tuf/repository_tool.py | 4 ++-- tuf/scripts/repo.py | 7 ++++--- tuf/sig.py | 5 +++-- 7 files changed, 24 insertions(+), 20 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index fdbd2d8b..79eade8d 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -133,6 +133,7 @@ from securesystemslib import exceptions as sslib_exceptions from securesystemslib import formats as sslib_formats +from securesystemslib import keys as sslib_keys import tuf from tuf import download @@ -147,7 +148,6 @@ import tuf.keydb import securesystemslib.hash -import securesystemslib.keys import securesystemslib.util import six @@ -967,7 +967,7 @@ def _import_delegations(self, parent_role): # We specify the keyid to ensure that it's the correct keyid # for the key. try: - key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) + key, _ = sslib_keys.format_metadata_to_key(keyinfo, keyid) tuf.keydb.add_key(key, repository_name=self.repository_name) @@ -1376,7 +1376,7 @@ def _verify_root_self_signed(self, signable): # The ANYKEY_SCHEMA check in verify_signature expects the keydict to # include a keyid key['keyid'] = keyid - valid_sig = securesystemslib.keys.verify_signature(key, signature, signed) + valid_sig = sslib_keys.verify_signature(key, signature, signed) if valid_sig: verified_sig_keyids.add(keyid) diff --git a/tuf/developer_tool.py b/tuf/developer_tool.py index b527ff8f..77dba0b5 100755 --- a/tuf/developer_tool.py +++ b/tuf/developer_tool.py @@ -53,7 +53,6 @@ import securesystemslib import securesystemslib.util -import securesystemslib.keys import six @@ -76,7 +75,8 @@ import_rsa_privatekey_from_file) from securesystemslib.keys import ( - format_keyval_to_metadata) + format_keyval_to_metadata, + format_metadata_to_key) from securesystemslib.interface import ( generate_and_write_rsa_keypair, @@ -859,7 +859,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, keydict = project_configuration['public_keys'] for keyid in keydict: - key, junk = securesystemslib.keys.format_metadata_to_key(keydict[keyid]) + key, junk = format_metadata_to_key(keydict[keyid]) project.add_verification_key(key) # Load the project's metadata. @@ -898,7 +898,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, repository_name=repository_name) for key_metadata in targets_metadata['delegations']['keys'].values(): - key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata) + key_object, junk = format_metadata_to_key(key_metadata) tuf.keydb.add_key(key_object, repository_name=repository_name) for role in targets_metadata['delegations']['roles']: @@ -976,7 +976,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, # Add the keys specified in the delegations field of the Targets role. for key_metadata in metadata_object['delegations']['keys'].values(): - key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata) + key_object, junk = format_metadata_to_key(key_metadata) try: tuf.keydb.add_key(key_object, repository_name=repository_name) diff --git a/tuf/keydb.py b/tuf/keydb.py index 57b67691..e261bfa7 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -47,6 +47,7 @@ import securesystemslib from securesystemslib import exceptions as sslib_exceptions from securesystemslib import formats as sslib_formats +from securesystemslib import keys as sslib_keys from tuf import exceptions from tuf import formats @@ -126,7 +127,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # format_metadata_to_key() uses the provided keyid as the default keyid. # All other keyids returned are ignored. - key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, + key_dict, _ = sslib_keys.format_metadata_to_key(key_metadata, keyid) # Make sure to update key_dict['keyid'] to use one of the other valid diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 8e0ad5ea..7ea6a2c8 100644 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -41,6 +41,7 @@ from securesystemslib import exceptions as sslib_exceptions from securesystemslib import formats as sslib_formats +from securesystemslib import keys as sslib_keys import tuf from tuf import exceptions @@ -349,7 +350,7 @@ def _remove_invalid_and_duplicate_signatures(signable, repository_name): continue # Remove 'signature' from 'signable' if it is an invalid signature. - if not securesystemslib.keys.verify_signature(key, signature, signed): + if not sslib_keys.verify_signature(key, signature, signed): logger.debug('Removing invalid signature for ' + repr(keyid)) signable['signatures'].remove(signature) @@ -666,7 +667,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']): # Use the keyid found in the delegation - key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, + key_object, _ = sslib_keys.format_metadata_to_key(key_metadata, keyid) # Add 'key_object' to the list of recognized keys. Keys may be shared, @@ -1863,7 +1864,7 @@ def sign_metadata(metadata_object, keyids, filename, repository_name): if 'private' in key['keyval']: signed = sslib_formats.encode_canonical(signable['signed']).encode('utf-8') try: - signature = securesystemslib.keys.create_signature(key, signed) + signature = sslib_keys.create_signature(key, signed) signable['signatures'].append(signature) except Exception: @@ -2298,7 +2299,7 @@ def keys_to_keydict(keys): for key in keys: keyid = key['keyid'] - key_metadata_format = securesystemslib.keys.format_keyval_to_metadata( + key_metadata_format = sslib_keys.format_keyval_to_metadata( key['keytype'], key['scheme'], key['keyval']) new_keydict = {keyid: key_metadata_format} diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index ee12b766..cd6920b5 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -52,7 +52,6 @@ from tuf import roledb import tuf.repository_lib as repo_lib -import securesystemslib.keys import securesystemslib.util import six @@ -89,6 +88,7 @@ import_ecdsa_privatekey_from_file) from securesystemslib.keys import ( + format_metadata_to_key, generate_rsa_key, generate_ecdsa_key, generate_ed25519_key, @@ -3167,7 +3167,7 @@ def load_repository(repository_directory, repository_name='default', # The repo may have used hashing algorithms for the generated keyids # that doesn't match the client's set of hash algorithms. Make sure # to only used the repo's selected hashing algorithms. - key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, + key_object, keyids = format_metadata_to_key(key_metadata, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms']) try: for keyid in keyids: # pragma: no branch diff --git a/tuf/scripts/repo.py b/tuf/scripts/repo.py index fa6d9c52..794a1009 100755 --- a/tuf/scripts/repo.py +++ b/tuf/scripts/repo.py @@ -150,6 +150,7 @@ import securesystemslib from securesystemslib import exceptions as sslib_exceptions from securesystemslib import formats as sslib_formats +from securesystemslib import keys as sslib_keys from securesystemslib import interface import tuf @@ -457,13 +458,13 @@ def import_privatekey_from_file(keypath, password=None): # the derived encryption key from 'password'. Raise # 'securesystemslib.exceptions.CryptoError' if the decryption fails. try: - key_object = securesystemslib.keys.decrypt_key(encrypted_key, password) + key_object = sslib_keys.decrypt_key(encrypted_key, password) except sslib_exceptions.CryptoError: try: logger.debug( 'Decryption failed. Attempting to import a private PEM instead.') - key_object = securesystemslib.keys.import_rsakey_from_private_pem( + key_object = sslib_keys.import_rsakey_from_private_pem( encrypted_key, 'rsassa-pss-sha256', password) except sslib_exceptions.CryptoError as error: @@ -497,7 +498,7 @@ def import_publickey_from_file(keypath): key_metadata = securesystemslib.interface.import_rsa_publickey_from_file( keypath) - key_object, junk = securesystemslib.keys.format_metadata_to_key(key_metadata) + key_object, junk = sslib_keys.format_metadata_to_key(key_metadata) if key_object['keytype'] not in SUPPORTED_KEY_TYPES: raise exceptions.Error('Trying to import an unsupported key' diff --git a/tuf/sig.py b/tuf/sig.py index 7bb1f4ad..b67d6c79 100755 --- a/tuf/sig.py +++ b/tuf/sig.py @@ -53,6 +53,7 @@ import securesystemslib from securesystemslib import exceptions as sslib_exceptions from securesystemslib import formats as sslib_formats +from securesystemslib import keys as sslib_keys import tuf from tuf import exceptions @@ -168,7 +169,7 @@ def get_signature_status(signable, role=None, repository_name='default', # Does the signature use an unknown/unsupported signing scheme? try: - valid_sig = securesystemslib.keys.verify_signature(key, signature, signed) + valid_sig = sslib_keys.verify_signature(key, signature, signed) except sslib_exceptions.UnsupportedAlgorithmError: unknown_signing_schemes.append(keyid) @@ -398,6 +399,6 @@ def generate_rsa_signature(signed, rsakey_dict): # Generate the RSA signature. # Raises securesystemslib.exceptions.FormatError and TypeError. - signature = securesystemslib.keys.create_signature(rsakey_dict, signed) + signature = sslib_keys.create_signature(rsakey_dict, signed) return signature