Skip to content

Commit 48c7523

Browse files
committed
Refactor scheme handling in Azure and GCP signers
Refactor constructors and helpers in AzureSigner and GCPSigner to explicitly validate supported keytypes and schemes early on, to not rely on implicit keytype/scheme validation helpers, that parse the scheme. The advantage is that validation is more explicit, and that we can use a more general parsing helper, which supports more keytype/scheme pairs, than the individual signer does. Signed-off-by: Lukas Puehringer <[email protected]>
1 parent 166e457 commit 48c7523

File tree

2 files changed

+85
-80
lines changed

2 files changed

+85
-80
lines changed

securesystemslib/signer/_azure_signer.py

Lines changed: 35 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,20 @@
2828
Encoding,
2929
PublicFormat,
3030
)
31+
32+
KEYTYPES_AND_SCHEMES = {
33+
KeyCurveName.p_256: ("ecdsa", "ecdsa-sha2-nistp256"),
34+
KeyCurveName.p_384: ("ecdsa", "ecdsa-sha2-nistp384"),
35+
KeyCurveName.p_521: ("ecdsa", "ecdsa-sha2-nistp521"),
36+
}
37+
38+
SIGNATURE_ALGORITHMS = {
39+
"ecdsa-sha2-nistp256": SignatureAlgorithm.es256,
40+
"ecdsa-sha2-nistp384": SignatureAlgorithm.es384,
41+
"ecdsa-sha2-nistp521": SignatureAlgorithm.es512,
42+
}
43+
44+
3145
except ImportError:
3246
AZURE_IMPORT_ERROR = (
3347
"Signing with Azure Key Vault requires azure-identity, "
@@ -70,19 +84,22 @@ def __init__(self, az_key_uri: str, public_key: SSlibKey):
7084
if AZURE_IMPORT_ERROR:
7185
raise UnsupportedLibraryError(AZURE_IMPORT_ERROR)
7286

73-
try:
74-
cred = DefaultAzureCredential()
75-
self.crypto_client = CryptographyClient(
76-
az_key_uri,
77-
credential=cred,
78-
)
79-
self.signature_algorithm = self._get_signature_algorithm(
80-
public_key,
87+
if (public_key.keytype, public_key.scheme) not in KEYTYPES_AND_SCHEMES.values():
88+
logger.info("only EC keys are supported for now")
89+
raise UnsupportedKeyType(
90+
"Supplied key must be an EC key on curve "
91+
"nistp256, nistp384, or nistp521"
8192
)
82-
self.hash_algorithm = self._get_hash_algorithm(public_key)
83-
except UnsupportedKeyType as e:
84-
logger.info("Key %s has unsupported key type or unsupported elliptic curve")
85-
raise e
93+
94+
cred = DefaultAzureCredential()
95+
self.crypto_client = CryptographyClient(
96+
az_key_uri,
97+
credential=cred,
98+
)
99+
self.signature_algorithm = self._get_signature_algorithm(
100+
public_key.scheme,
101+
)
102+
self.hash_algorithm = self._get_hash_algorithm(public_key)
86103
self._public_key = public_key
87104

88105
@property
@@ -129,24 +146,9 @@ def _create_crypto_client(
129146
raise e
130147

131148
@staticmethod
132-
def _get_signature_algorithm(public_key: SSlibKey) -> SignatureAlgorithm:
149+
def _get_signature_algorithm(scheme: str) -> SignatureAlgorithm:
133150
"""Return SignatureAlgorithm after parsing the public key"""
134-
if public_key.keytype != "ecdsa":
135-
logger.info("only EC keys are supported for now")
136-
raise UnsupportedKeyType("Supplied key must be an EC key")
137-
# Format is "ecdsa-sha2-nistp256"
138-
comps = public_key.scheme.split("-")
139-
if len(comps) != 3: # noqa: PLR2004
140-
raise UnsupportedKeyType("Invalid scheme found")
141-
142-
if comps[2] == "nistp256":
143-
return SignatureAlgorithm.es256
144-
if comps[2] == "nistp384":
145-
return SignatureAlgorithm.es384
146-
if comps[2] == "nistp521":
147-
return SignatureAlgorithm.es512
148-
149-
raise UnsupportedKeyType("Unsupported curve supplied by key")
151+
return SIGNATURE_ALGORITHMS[scheme]
150152

151153
@staticmethod
152154
def _get_hash_algorithm(public_key: Key) -> str:
@@ -167,14 +169,10 @@ def _get_hash_algorithm(public_key: Key) -> str:
167169

168170
@staticmethod
169171
def _get_keytype_and_scheme(crv: str) -> tuple[str, str]:
170-
if crv == KeyCurveName.p_256:
171-
return "ecdsa", "ecdsa-sha2-nistp256"
172-
if crv == KeyCurveName.p_384:
173-
return "ecdsa", "ecdsa-sha2-nistp384"
174-
if crv == KeyCurveName.p_521:
175-
return "ecdsa", "ecdsa-sha2-nistp521"
176-
177-
raise UnsupportedKeyType("Unsupported curve supplied by key")
172+
try:
173+
return KEYTYPES_AND_SCHEMES[crv]
174+
except KeyError:
175+
raise UnsupportedKeyType("Unsupported curve supplied by key")
178176

179177
@classmethod
180178
def from_priv_key_uri(

securesystemslib/signer/_gcp_signer.py

Lines changed: 50 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,49 @@
1717
try:
1818
from google.cloud import kms
1919
from google.cloud.kms_v1.types import CryptoKeyVersion
20+
21+
KEYTYPES_AND_SCHEMES = {
22+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
23+
"ecdsa",
24+
"ecdsa-sha2-nistp256",
25+
),
26+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
27+
"ecdsa",
28+
"ecdsa-sha2-nistp384",
29+
),
30+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
31+
"rsa",
32+
"rsassa-pss-sha256",
33+
),
34+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
35+
"rsa",
36+
"rsassa-pss-sha256",
37+
),
38+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
39+
"rsa",
40+
"rsassa-pss-sha256",
41+
),
42+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
43+
"rsa",
44+
"rsassa-pss-sha512",
45+
),
46+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
47+
"rsa",
48+
"rsa-pkcs1v15-sha256",
49+
),
50+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
51+
"rsa",
52+
"rsa-pkcs1v15-sha256",
53+
),
54+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
55+
"rsa",
56+
"rsa-pkcs1v15-sha256",
57+
),
58+
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
59+
"rsa",
60+
"rsa-pkcs1v15-sha512",
61+
),
62+
}
2063
except ImportError:
2164
GCP_IMPORT_ERROR = (
2265
"google-cloud-kms library required to sign with Google Cloud keys."
@@ -60,6 +103,12 @@ def __init__(self, gcp_keyid: str, public_key: SSlibKey):
60103
if GCP_IMPORT_ERROR:
61104
raise exceptions.UnsupportedLibraryError(GCP_IMPORT_ERROR)
62105

106+
if (public_key.keytype, public_key.scheme) not in KEYTYPES_AND_SCHEMES.values():
107+
raise exceptions.UnsupportedAlgorithmError(
108+
f"Unsupported key ({public_key.keytype}/{public_key.scheme}) "
109+
f"in key {public_key.keyid}"
110+
)
111+
63112
self.hash_algorithm = self._get_hash_algorithm(public_key)
64113
self.gcp_keyid = gcp_keyid
65114
self._public_key = public_key
@@ -115,49 +164,7 @@ def import_(cls, gcp_keyid: str) -> tuple[str, SSlibKey]:
115164
@staticmethod
116165
def _get_keytype_and_scheme(algorithm: int) -> tuple[str, str]:
117166
"""Return keytype and scheme for the KMS algorithm enum"""
118-
keytypes_and_schemes = {
119-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
120-
"ecdsa",
121-
"ecdsa-sha2-nistp256",
122-
),
123-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
124-
"ecdsa",
125-
"ecdsa-sha2-nistp384",
126-
),
127-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
128-
"rsa",
129-
"rsassa-pss-sha256",
130-
),
131-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
132-
"rsa",
133-
"rsassa-pss-sha256",
134-
),
135-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
136-
"rsa",
137-
"rsassa-pss-sha256",
138-
),
139-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
140-
"rsa",
141-
"rsassa-pss-sha512",
142-
),
143-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
144-
"rsa",
145-
"rsa-pkcs1v15-sha256",
146-
),
147-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
148-
"rsa",
149-
"rsa-pkcs1v15-sha256",
150-
),
151-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
152-
"rsa",
153-
"rsa-pkcs1v15-sha256",
154-
),
155-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
156-
"rsa",
157-
"rsa-pkcs1v15-sha512",
158-
),
159-
}
160-
return keytypes_and_schemes[algorithm]
167+
return KEYTYPES_AND_SCHEMES[algorithm]
161168

162169
@staticmethod
163170
def _get_hash_algorithm(public_key: Key) -> str:

0 commit comments

Comments
 (0)