Use new public hash and scheme methods to SSlibKey

* Add public methods to return hash algorithm name and padding
for all supported SSlibKey schemes, if applicable.
* Use in relevant signers
* Remove obsolete helpers in those signers

Signed-off-by: Lukas Puehringer <[email protected]>

Author: lukpueh

securesystemslib/signer/_azure_signer.py

@@ -99,7 +99,7 @@ def __init__(self, az_key_uri: str, public_key: SSlibKey):
         self.signature_algorithm = self._get_signature_algorithm(
             public_key.scheme,
         )
-        self.hash_algorithm = self._get_hash_algorithm(public_key)
+        self.hash_algorithm = public_key.get_hash_algorithm_name()
         self._public_key = public_key
 
     @property
@@ -150,23 +150,6 @@ def _get_signature_algorithm(scheme: str) -> SignatureAlgorithm:
         """Return SignatureAlgorithm after parsing the public key"""
         return SIGNATURE_ALGORITHMS[scheme]
 
-    @staticmethod
-    def _get_hash_algorithm(public_key: Key) -> str:
-        """Return the hash algorithm used by the public key"""
-        # Format is "ecdsa-sha2-nistp256"
-        comps = public_key.scheme.split("-")
-        if len(comps) != 3:  # noqa: PLR2004
-            raise UnsupportedKeyType("Invalid scheme found")
-
-        if comps[2] == "nistp256":
-            return "sha256"
-        if comps[2] == "nistp384":
-            return "sha384"
-        if comps[2] == "nistp521":
-            return "sha512"
-
-        raise UnsupportedKeyType("Unsupported curve supplied by key")
-
     @staticmethod
     def _get_keytype_and_scheme(crv: str) -> tuple[str, str]:
         try:

securesystemslib/signer/_crypto_signer.py

@@ -140,9 +140,12 @@ def __init__(
             if not isinstance(private_key, RSAPrivateKey):
                 raise ValueError(f"invalid rsa key: {type(private_key)}")
 
-            padding_name, hash_name = public_key.scheme.split("-")[1:]
+            hash_name = public_key.get_hash_algorithm_name()
             hash_algo = get_hash_algorithm(hash_name)
+
+            padding_name = public_key.get_padding_name()
             padding = _get_rsa_padding(padding_name, hash_algo)
+
             self._sign_args = _RSASignArgs(padding, hash_algo)
             self._private_key = private_key
 

securesystemslib/signer/_gcp_signer.py

@@ -109,7 +109,7 @@ def __init__(self, gcp_keyid: str, public_key: SSlibKey):
                 f"in key {public_key.keyid}"
             )
 
-        self.hash_algorithm = self._get_hash_algorithm(public_key)
+        self.hash_algorithm = public_key.get_hash_algorithm_name()
         self.gcp_keyid = gcp_keyid
         self._public_key = public_key
         self.client = kms.KeyManagementServiceClient()
@@ -166,38 +166,6 @@ def _get_keytype_and_scheme(algorithm: int) -> tuple[str, str]:
         """Return keytype and scheme for the KMS algorithm enum"""
         return KEYTYPES_AND_SCHEMES[algorithm]
 
-    @staticmethod
-    def _get_hash_algorithm(public_key: Key) -> str:
-        """Helper function to return payload hash algorithm used for this key"""
-
-        # TODO: This could be a public abstract method on Key so that GCPSigner
-        # would not be tied to a specific Key implementation -- not all keys
-        # have a pre hash algorithm though.
-        if public_key.keytype == "rsa":
-            # hash algorithm is encoded as last scheme portion
-            algo = public_key.scheme.split("-")[-1]
-        elif public_key.keytype in [
-            "ecdsa",
-            "ecdsa-sha2-nistp256",
-            "ecdsa-sha2-nistp384",
-        ]:
-            # nistp256 uses sha-256, nistp384 uses sha-384
-            bits = public_key.scheme.split("-nistp")[-1]
-            algo = f"sha{bits}"
-        else:
-            raise exceptions.UnsupportedAlgorithmError(
-                f"Unsupported key type {public_key.keytype} in key {public_key.keyid}"
-            )
-
-        # trigger UnsupportedAlgorithm if appropriate
-        # TODO: deduplicate scheme parsing and improve validation (#594, #766)
-        try:
-            _ = hashlib.new(algo)
-        except (ValueError, TypeError) as e:
-            raise exceptions.UnsupportedAlgorithmError(algo) from e
-
-        return algo
-
     def sign(self, payload: bytes) -> Signature:
         """Signs payload with Google Cloud KMS.
 

securesystemslib/signer/_key.py

@@ -218,6 +218,45 @@ def __init__(
             raise ValueError(f"public key string required for scheme {scheme}")
         super().__init__(keyid, keytype, scheme, keyval, unrecognized_fields)
 
+    def get_hash_algorithm_name(self) -> str:
+        """Get hash algorithm name for scheme. Raise
+        ValueError if the scheme is not a supported pre-hash scheme."""
+        if self.scheme in [
+            "rsassa-pss-sha224",
+            "rsassa-pss-sha256",
+            "rsassa-pss-sha384",
+            "rsassa-pss-sha512",
+            "rsa-pkcs1v15-sha224",
+            "rsa-pkcs1v15-sha256",
+            "rsa-pkcs1v15-sha384",
+            "rsa-pkcs1v15-sha512",
+            "ecdsa-sha2-nistp256",
+            "ecdsa-sha2-nistp384",
+        ]:
+            return f"sha{self.scheme[-3:]}"
+
+        elif self.scheme == "ecdsa-sha2-nistp521":
+            return "sha512"
+
+        raise ValueError(f"method not supported for scheme {self.scheme}")
+
+    def get_padding_name(self) -> str:
+        """Get padding name for scheme. Raise
+        ValueError if the scheme is not a supported padded rsa scheme."""
+        if self.scheme in [
+            "rsassa-pss-sha224",
+            "rsassa-pss-sha256",
+            "rsassa-pss-sha384",
+            "rsassa-pss-sha512",
+            "rsa-pkcs1v15-sha224",
+            "rsa-pkcs1v15-sha256",
+            "rsa-pkcs1v15-sha384",
+            "rsa-pkcs1v15-sha512",
+        ]:
+            return self.scheme.split("-")[1]
+
+        raise ValueError(f"method not supported for scheme {self.scheme}")
+
     @classmethod
     def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> SSlibKey:
         keytype, scheme, keyval = cls._from_dict(key_dict)
@@ -358,8 +397,9 @@ def _validate_curve(
             ]:
                 key = cast(RSAPublicKey, self._crypto_key())
                 _validate_type(key, RSAPublicKey)
-                padding_name, hash_name = self.scheme.split("-")[1:]
+                hash_name = self.get_hash_algorithm_name()
                 hash_algorithm = get_hash_algorithm(hash_name)
+                padding_name = self.get_padding_name()
                 padding = self._get_rsa_padding(padding_name, hash_algorithm)
                 key.verify(signature, data, padding, hash_algorithm)