De-duplicate get_hash_algorithm method

lukpueh · lukpueh · commit 166e457593d3 · 2025-03-26T14:41:52.000+01:00
Add helper to return pyca/cryptography hash object for a given hash
name and use in SSlibkey and CryptoSigner, replacing two local helpers.

NOTE: The helper is added to a separate _crypto_util module for
conditional import only of pyca/cryptography is installed.

Signed-off-by: Lukas Puehringer &lt;lukas.puehringer@nyu.edu&gt;
diff --git a/securesystemslib/signer/_crypto_signer.py b/securesystemslib/signer/_crypto_signer.py
@@ -38,10 +38,7 @@
     )
     from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
     from cryptography.hazmat.primitives.hashes import (
-        SHA224,
         SHA256,
-        SHA384,
-        SHA512,
         HashAlgorithm,
     )
     from cryptography.hazmat.primitives.serialization import (
@@ -50,6 +47,9 @@
         PrivateFormat,
         load_pem_private_key,
     )
+
+    from securesystemslib.signer._crypto_utils import get_hash_algorithm
+
 except ImportError:
     CRYPTO_IMPORT_ERROR = "'pyca/cryptography' library required"
 
@@ -77,21 +77,6 @@ class _NoSignArgs:
 _ECDSA_KEYTYPES = ["ecdsa", "ecdsa-sha2-nistp256"]
 
 
-def _get_hash_algorithm(name: str) -> "HashAlgorithm":
-    """Helper to return hash algorithm for name."""
-    algorithm: HashAlgorithm
-    if name == "sha224":
-        algorithm = SHA224()
-    if name == "sha256":
-        algorithm = SHA256()
-    if name == "sha384":
-        algorithm = SHA384()
-    if name == "sha512":
-        algorithm = SHA512()
-
-    return algorithm
-
-
 def _get_rsa_padding(name: str, hash_algorithm: "HashAlgorithm") -> "AsymmetricPadding":
     """Helper to return rsa signature padding for name."""
     padding: AsymmetricPadding
@@ -156,7 +141,7 @@ def __init__(
                 raise ValueError(f"invalid rsa key: {type(private_key)}")
 
             padding_name, hash_name = public_key.scheme.split("-")[1:]
-            hash_algo = _get_hash_algorithm(hash_name)
+            hash_algo = get_hash_algorithm(hash_name)
             padding = _get_rsa_padding(padding_name, hash_algo)
             self._sign_args = _RSASignArgs(padding, hash_algo)
             self._private_key = private_key
diff --git a/securesystemslib/signer/_crypto_utils.py b/securesystemslib/signer/_crypto_utils.py
@@ -0,0 +1,23 @@
+"""Signer utils for internal use that require pyca/cryptography."""
+
+from cryptography.hazmat.primitives.hashes import (
+    SHA224,
+    SHA256,
+    SHA384,
+    SHA512,
+    HashAlgorithm,
+)
+
+
+def get_hash_algorithm(name: str) -> HashAlgorithm:
+    """Helper to return hash algorithm object for name."""
+    if name == "sha224":
+        return SHA224()
+    elif name == "sha256":
+        return SHA256()
+    elif name == "sha384":
+        return SHA384()
+    elif name == "sha512":
+        return SHA512()
+
+    raise ValueError(f"Unsupported hash algorithm: {name}")
diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py
@@ -43,7 +43,6 @@
     )
     from cryptography.hazmat.primitives.asymmetric.types import PublicKeyTypes
     from cryptography.hazmat.primitives.hashes import (
-        SHA224,
         SHA256,
         SHA384,
         SHA512,
@@ -54,6 +53,9 @@
         PublicFormat,
         load_pem_public_key,
     )
+
+    from securesystemslib.signer._crypto_utils import get_hash_algorithm
+
 except ImportError:
     CRYPTO_IMPORT_ERROR = "'pyca/cryptography' library required"
 
@@ -308,21 +310,6 @@ def from_crypto(
 
         return SSlibKey(keyid, keytype, scheme, keyval)
 
-    @staticmethod
-    def _get_hash_algorithm(name: str) -> HashAlgorithm:
-        """Helper to return hash algorithm for name."""
-        algorithm: HashAlgorithm
-        if name == "sha224":
-            algorithm = SHA224()
-        if name == "sha256":
-            algorithm = SHA256()
-        if name == "sha384":
-            algorithm = SHA384()
-        if name == "sha512":
-            algorithm = SHA512()
-
-        return algorithm
-
     @staticmethod
     def _get_rsa_padding(name: str, hash_algorithm: HashAlgorithm) -> AsymmetricPadding:
         """Helper to return rsa signature padding for name."""
@@ -372,7 +359,7 @@ def _validate_curve(
                 key = cast(RSAPublicKey, self._crypto_key())
                 _validate_type(key, RSAPublicKey)
                 padding_name, hash_name = self.scheme.split("-")[1:]
-                hash_algorithm = self._get_hash_algorithm(hash_name)
+                hash_algorithm = get_hash_algorithm(hash_name)
                 padding = self._get_rsa_padding(padding_name, hash_algorithm)
                 key.verify(signature, data, padding, hash_algorithm)
 
