Refactor scheme handling in Azure and GCP signers

lukpueh · lukpueh · commit 48c7523a2209 · 2025-03-26T15:02:39.000+01:00
Refactor constructors and helpers in AzureSigner and GCPSigner to
explicitly validate supported keytypes and schemes early on, to not rely
on implicit keytype/scheme validation helpers, that parse the scheme.

The advantage is that validation is more explicit, and that we can use a
more general parsing helper, which supports more keytype/scheme pairs,
than the individual signer does.

Signed-off-by: Lukas Puehringer &lt;lukas.puehringer@nyu.edu&gt;
diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py
@@ -28,6 +28,20 @@
         Encoding,
         PublicFormat,
     )
+
+    KEYTYPES_AND_SCHEMES = {
+        KeyCurveName.p_256: ("ecdsa", "ecdsa-sha2-nistp256"),
+        KeyCurveName.p_384: ("ecdsa", "ecdsa-sha2-nistp384"),
+        KeyCurveName.p_521: ("ecdsa", "ecdsa-sha2-nistp521"),
+    }
+
+    SIGNATURE_ALGORITHMS = {
+        "ecdsa-sha2-nistp256": SignatureAlgorithm.es256,
+        "ecdsa-sha2-nistp384": SignatureAlgorithm.es384,
+        "ecdsa-sha2-nistp521": SignatureAlgorithm.es512,
+    }
+
+
 except ImportError:
     AZURE_IMPORT_ERROR = (
         "Signing with Azure Key Vault requires azure-identity, "
@@ -70,19 +84,22 @@ def __init__(self, az_key_uri: str, public_key: SSlibKey):
         if AZURE_IMPORT_ERROR:
             raise UnsupportedLibraryError(AZURE_IMPORT_ERROR)
 
-        try:
-            cred = DefaultAzureCredential()
-            self.crypto_client = CryptographyClient(
-                az_key_uri,
-                credential=cred,
-            )
-            self.signature_algorithm = self._get_signature_algorithm(
-                public_key,
+        if (public_key.keytype, public_key.scheme) not in KEYTYPES_AND_SCHEMES.values():
+            logger.info("only EC keys are supported for now")
+            raise UnsupportedKeyType(
+                "Supplied key must be an EC key on curve "
+                "nistp256, nistp384, or nistp521"
             )
-            self.hash_algorithm = self._get_hash_algorithm(public_key)
-        except UnsupportedKeyType as e:
-            logger.info("Key %s has unsupported key type or unsupported elliptic curve")
-            raise e
+
+        cred = DefaultAzureCredential()
+        self.crypto_client = CryptographyClient(
+            az_key_uri,
+            credential=cred,
+        )
+        self.signature_algorithm = self._get_signature_algorithm(
+            public_key.scheme,
+        )
+        self.hash_algorithm = self._get_hash_algorithm(public_key)
         self._public_key = public_key
 
     @property
@@ -129,24 +146,9 @@ def _create_crypto_client(
             raise e
 
     @staticmethod
-    def _get_signature_algorithm(public_key: SSlibKey) -> SignatureAlgorithm:
+    def _get_signature_algorithm(scheme: str) -> SignatureAlgorithm:
         """Return SignatureAlgorithm after parsing the public key"""
-        if public_key.keytype != "ecdsa":
-            logger.info("only EC keys are supported for now")
-            raise UnsupportedKeyType("Supplied key must be an EC key")
-        # Format is "ecdsa-sha2-nistp256"
-        comps = public_key.scheme.split("-")
-        if len(comps) != 3:  # noqa: PLR2004
-            raise UnsupportedKeyType("Invalid scheme found")
-
-        if comps[2] == "nistp256":
-            return SignatureAlgorithm.es256
-        if comps[2] == "nistp384":
-            return SignatureAlgorithm.es384
-        if comps[2] == "nistp521":
-            return SignatureAlgorithm.es512
-
-        raise UnsupportedKeyType("Unsupported curve supplied by key")
+        return SIGNATURE_ALGORITHMS[scheme]
 
     @staticmethod
     def _get_hash_algorithm(public_key: Key) -> str:
@@ -167,14 +169,10 @@ def _get_hash_algorithm(public_key: Key) -> str:
 
     @staticmethod
     def _get_keytype_and_scheme(crv: str) -> tuple[str, str]:
-        if crv == KeyCurveName.p_256:
-            return "ecdsa", "ecdsa-sha2-nistp256"
-        if crv == KeyCurveName.p_384:
-            return "ecdsa", "ecdsa-sha2-nistp384"
-        if crv == KeyCurveName.p_521:
-            return "ecdsa", "ecdsa-sha2-nistp521"
-
-        raise UnsupportedKeyType("Unsupported curve supplied by key")
+        try:
+            return KEYTYPES_AND_SCHEMES[crv]
+        except KeyError:
+            raise UnsupportedKeyType("Unsupported curve supplied by key")
 
     @classmethod
     def from_priv_key_uri(
diff --git a/securesystemslib/signer/_gcp_signer.py b/securesystemslib/signer/_gcp_signer.py
@@ -17,6 +17,49 @@
 try:
     from google.cloud import kms
     from google.cloud.kms_v1.types import CryptoKeyVersion
+
+    KEYTYPES_AND_SCHEMES = {
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
+            "ecdsa",
+            "ecdsa-sha2-nistp256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
+            "ecdsa",
+            "ecdsa-sha2-nistp384",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
+            "rsa",
+            "rsassa-pss-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
+            "rsa",
+            "rsassa-pss-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
+            "rsa",
+            "rsassa-pss-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
+            "rsa",
+            "rsassa-pss-sha512",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
+            "rsa",
+            "rsa-pkcs1v15-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
+            "rsa",
+            "rsa-pkcs1v15-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
+            "rsa",
+            "rsa-pkcs1v15-sha256",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
+            "rsa",
+            "rsa-pkcs1v15-sha512",
+        ),
+    }
 except ImportError:
     GCP_IMPORT_ERROR = (
         "google-cloud-kms library required to sign with Google Cloud keys."
@@ -60,6 +103,12 @@ def __init__(self, gcp_keyid: str, public_key: SSlibKey):
         if GCP_IMPORT_ERROR:
             raise exceptions.UnsupportedLibraryError(GCP_IMPORT_ERROR)
 
+        if (public_key.keytype, public_key.scheme) not in KEYTYPES_AND_SCHEMES.values():
+            raise exceptions.UnsupportedAlgorithmError(
+                f"Unsupported key ({public_key.keytype}/{public_key.scheme}) "
+                f"in key {public_key.keyid}"
+            )
+
         self.hash_algorithm = self._get_hash_algorithm(public_key)
         self.gcp_keyid = gcp_keyid
         self._public_key = public_key
@@ -115,49 +164,7 @@ def import_(cls, gcp_keyid: str) -> tuple[str, SSlibKey]:
     @staticmethod
     def _get_keytype_and_scheme(algorithm: int) -> tuple[str, str]:
         """Return keytype and scheme for the KMS algorithm enum"""
-        keytypes_and_schemes = {
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
-                "ecdsa",
-                "ecdsa-sha2-nistp256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
-                "ecdsa",
-                "ecdsa-sha2-nistp384",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
-                "rsa",
-                "rsassa-pss-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
-                "rsa",
-                "rsassa-pss-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
-                "rsa",
-                "rsassa-pss-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
-                "rsa",
-                "rsassa-pss-sha512",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
-                "rsa",
-                "rsa-pkcs1v15-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
-                "rsa",
-                "rsa-pkcs1v15-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
-                "rsa",
-                "rsa-pkcs1v15-sha256",
-            ),
-            CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
-                "rsa",
-                "rsa-pkcs1v15-sha512",
-            ),
-        }
-        return keytypes_and_schemes[algorithm]
+        return KEYTYPES_AND_SCHEMES[algorithm]
 
     @staticmethod
     def _get_hash_algorithm(public_key: Key) -> str:
