Skip to content

Commit

Permalink
Drop legacy signature creation code (DO NOT MERGE!)
Browse files Browse the repository at this point in the history 
Signed-off-by: Lukas Puehringer <[email protected]>
  • Loading branch information
@lukpueh
lukpueh committed May 30, 2023
1 parent 052b304 commit 62d0c93
Show file tree
Hide file tree
Showing 9 changed files with 0 additions and 1,233 deletions.
95 changes: 0 additions & 95 deletions securesystemslib/ecdsa_keys.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,101 +165,6 @@ def generate_public_and_private(scheme="ecdsa-sha2-nistp256"):
return public_pem.decode("utf-8"), private_pem.decode("utf-8")


def create_signature(
public_key, private_key, data, scheme="ecdsa-sha2-nistp256"
):
"""
<Purpose>
Return a (signature, scheme) tuple.
>>> requested_scheme = 'ecdsa-sha2-nistp256'
>>> public, private = generate_public_and_private(requested_scheme)
>>> data = b'The quick brown fox jumps over the lazy dog'
>>> signature, scheme = create_signature(public, private, data, requested_scheme)
>>> securesystemslib.formats.ECDSASIGNATURE_SCHEMA.matches(signature)
True
>>> requested_scheme == scheme
True
<Arguments>
public:
The ECDSA public key in PEM format.
private:
The ECDSA private key in PEM format.
data:
Byte data used by create_signature() to generate the signature returned.
scheme:
The signature scheme used to generate the signature. For example:
'ecdsa-sha2-nistp256'.
<Exceptions>
securesystemslib.exceptions.FormatError, if the arguments are improperly
formatted.
securesystemslib.exceptions.CryptoError, if a signature cannot be created.
securesystemslib.exceptions.UnsupportedAlgorithmError, if 'scheme' is not
one of the supported signature schemes.
securesystemslib.exceptions.UnsupportedLibraryError, if the cryptography
module is not available.
<Side Effects>
None.
<Returns>
A signature dictionary conformat to
'securesystemslib.format.SIGNATURE_SCHEMA'. ECDSA signatures are XX bytes,
however, the hexlified signature is stored in the dictionary returned.
"""

if not CRYPTO: # pragma: no cover
raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)

# Do 'public_key' and 'private_key' have the correct format?
# This check will ensure that the arguments conform to
# 'securesystemslib.formats.PEMECDSA_SCHEMA'. Raise
# 'securesystemslib.exceptions.FormatError' if the check fails.
formats.PEMECDSA_SCHEMA.check_match(public_key)

# Is 'private_key' properly formatted?
formats.PEMECDSA_SCHEMA.check_match(private_key)

# Is 'scheme' properly formatted?
formats.ECDSA_SCHEME_SCHEMA.check_match(scheme)

# 'ecdsa-sha2-nistp256' is the only currently supported ECDSA scheme, so this
# if-clause isn't strictly needed. Nevertheless, the conditional statement
# is included to accommodate multiple schemes that can potentially be added
# in the future.
if scheme == "ecdsa-sha2-nistp256":
try:
private_key = load_pem_private_key(
private_key.encode("utf-8"),
password=None,
backend=default_backend(),
)

signature = private_key.sign(data, ec.ECDSA(hashes.SHA256()))

except TypeError as e:
raise exceptions.CryptoError(
"Could not create" " signature: " + str(e)
)

# A defensive check for an invalid 'scheme'. The
# ECDSA_SCHEME_SCHEMA.check_match() above should have already validated it.
else: # pragma: no cover
raise exceptions.UnsupportedAlgorithmError(
"Unsupported" " signature scheme is specified: " + repr(scheme)
)

return signature, scheme


def verify_signature(public_key, scheme, signature, data):
"""
<Purpose>
Expand Down
104 changes: 0 additions & 104 deletions securesystemslib/ed25519_keys.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,110 +144,6 @@ def generate_public_and_private():
return public, seed


def create_signature(public_key, private_key, data, scheme):
"""
<Purpose>
Return a (signature, scheme) tuple, where the signature scheme is 'ed25519'
and is always generated by PyNaCl (i.e., 'nacl'). The signature returned
conforms to 'securesystemslib.formats.ED25519SIGNATURE_SCHEMA', and has the
form:
'\xae\xd7\x9f\xaf\x95{bP\x9e\xa8YO Z\x86\x9d...'
A signature is a 64-byte string.
>>> public, private = generate_public_and_private()
>>> data = b'The quick brown fox jumps over the lazy dog'
>>> scheme = 'ed25519'
>>> signature, scheme = \
create_signature(public, private, data, scheme)
>>> securesystemslib.formats.ED25519SIGNATURE_SCHEMA.matches(signature)
True
>>> scheme == 'ed25519'
True
>>> signature, scheme = \
create_signature(public, private, data, scheme)
>>> securesystemslib.formats.ED25519SIGNATURE_SCHEMA.matches(signature)
True
>>> scheme == 'ed25519'
True
<Arguments>
public:
The ed25519 public key, which is a 32-byte string.
private:
The ed25519 private key, which is a 32-byte string.
data:
Data object used by create_signature() to generate the signature.
scheme:
The signature scheme used to generate the signature.
<Exceptions>
securesystemslib.exceptions.FormatError, if the arguments are improperly
formatted.
securesystemslib.exceptions.CryptoError, if a signature cannot be created.
securesystemslib.exceptions.UnsupportedLibraryError, if the PyNaCl ('nacl')
module is unavailable.
<Side Effects>
nacl.signing.SigningKey.sign() called to generate the actual signature.
<Returns>
A signature dictionary conformat to
'securesystemslib.format.SIGNATURE_SCHEMA'. ed25519 signatures are 64
bytes, however, the hexlified signature is stored in the dictionary
returned.
"""

if not NACL: # pragma: no cover
raise exceptions.UnsupportedLibraryError(NO_NACL_MSG)

# Does 'public_key' have the correct format?
# This check will ensure 'public_key' conforms to
# 'securesystemslib.formats.ED25519PUBLIC_SCHEMA', which must have length 32
# bytes. Raise 'securesystemslib.exceptions.FormatError' if the check fails.
formats.ED25519PUBLIC_SCHEMA.check_match(public_key)

# Is 'private_key' properly formatted?
formats.ED25519SEED_SCHEMA.check_match(private_key)

# Is 'scheme' properly formatted?
formats.ED25519_SIG_SCHEMA.check_match(scheme)

# Signing the 'data' object requires a seed and public key.
# nacl.signing.SigningKey.sign() generates the signature.
signature = None

# An if-clause is not strictly needed here, since 'ed25519' is the only
# currently supported scheme. Nevertheless, include the conditional
# statement to accommodate schemes that might be added in the future.
if scheme == "ed25519":
try:
nacl_key = SigningKey(private_key)
nacl_sig = nacl_key.sign(data)
signature = nacl_sig.signature

except (ValueError, TypeError, nacl_exceptions.CryptoError) as e:
raise exceptions.CryptoError(
'An "ed25519" signature'
" could not be created with PyNaCl." + str(e)
)

# This is a defensive check for a valid 'scheme', which should have already
# been validated in the check_match() above.
else: # pragma: no cover
raise exceptions.UnsupportedAlgorithmError(
"Unsupported" " signature scheme is specified: " + repr(scheme)
)

return signature, scheme


def verify_signature(public_key, scheme, signature, data):
"""
<Purpose>
Expand Down
136 changes: 0 additions & 136 deletions securesystemslib/keys.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,142 +565,6 @@ def _get_keyid(keytype, scheme, key_value, hash_algorithm="sha256"):
return keyid


def create_signature(key_dict, data):
"""
<Purpose>
Return a signature dictionary of the form:
{'keyid': 'f30a0870d026980100c0573bd557394f8c1bbd6...',
'sig': '...'}.
The signing process will use the private key in
key_dict['keyval']['private'] and 'data' to generate the signature.
The following signature schemes are supported:
'RSASSA-PSS'
RFC3447 - RSASSA-PSS
http://www.ietf.org/rfc/rfc3447.
'ed25519'
ed25519 - high-speed high security signatures
http://ed25519.cr.yp.to/
Which signature to generate is determined by the key type of 'key_dict'
and the available cryptography library specified in 'settings'.
>>> ed25519_key = generate_ed25519_key()
>>> data = 'The quick brown fox jumps over the lazy dog'
>>> signature = create_signature(ed25519_key, data)
>>> securesystemslib.formats.SIGNATURE_SCHEMA.matches(signature)
True
>>> len(signature['sig'])
128
>>> rsa_key = generate_rsa_key(2048)
>>> signature = create_signature(rsa_key, data)
>>> securesystemslib.formats.SIGNATURE_SCHEMA.matches(signature)
True
>>> ecdsa_key = generate_ecdsa_key()
>>> signature = create_signature(ecdsa_key, data)
>>> securesystemslib.formats.SIGNATURE_SCHEMA.matches(signature)
True
<Arguments>
key_dict:
A dictionary containing the keys. An example RSA key dict has the
form:
{'keytype': 'rsa',
'scheme': 'rsassa-pss-sha256',
'keyid': 'f30a0870d026980100c0573bd557394f8c1bbd6...',
'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
The public and private keys are strings in PEM format.
data:
Data to be signed. This should be a bytes object; data should be
encoded/serialized before it is passed here. The same value can be be
passed into securesystemslib.verify_signature() (along with the public
key) to later verify the signature.
<Exceptions>
securesystemslib.exceptions.FormatError, if 'key_dict' is improperly
formatted.
securesystemslib.exceptions.UnsupportedAlgorithmError, if 'key_dict'
specifies an unsupported key type or signing scheme.
securesystemslib.exceptions.CryptoError, if the signature cannot be
generated.
TypeError, if 'key_dict' contains an invalid keytype.
<Side Effects>
The cryptography library specified in 'settings' is called to perform the
actual signing routine.
<Returns>
A signature dictionary conformant to
'securesystemslib_format.SIGNATURE_SCHEMA'.
"""

# Does 'key_dict' have the correct format?
# This check will ensure 'key_dict' has the appropriate number of objects
# and object types, and that all dict keys are properly named.
# Raise 'securesystemslib.exceptions.FormatError' if the check fails.
# The key type of 'key_dict' must be either 'rsa' or 'ed25519'.
formats.ANYKEY_SCHEMA.check_match(key_dict)

# Signing the 'data' object requires a private key. Signing schemes that are
# currently supported are: 'ed25519', 'ecdsa-sha2-nistp256',
# 'ecdsa-sha2-nistp384' and rsa schemes defined in
# `securesystemslib.keys.RSA_SIGNATURE_SCHEMES`.
# RSASSA-PSS and RSA-PKCS1v15 keys and signatures can be generated and
# verified by rsa_keys.py, and Ed25519 keys by PyNaCl and PyCA's
# optimized, pure python implementation of Ed25519.
signature = {}
keytype = key_dict["keytype"]
scheme = key_dict["scheme"]
public = key_dict["keyval"]["public"]
private = key_dict["keyval"]["private"]
keyid = key_dict["keyid"]
sig = None

if keytype == "rsa":
if scheme in RSA_SIGNATURE_SCHEMES:
private = private.replace("\r\n", "\n")
sig, scheme = rsa_keys.create_rsa_signature(private, data, scheme)

else:
raise exceptions.UnsupportedAlgorithmError(
"Unsupported" " RSA signature scheme specified: " + repr(scheme)
)

elif keytype == "ed25519":
public = binascii.unhexlify(public.encode("utf-8"))
private = binascii.unhexlify(private.encode("utf-8"))
sig, scheme = ed25519_keys.create_signature(
public, private, data, scheme
)

# Continue to support keytypes of ecdsa-sha2-nistp256 and ecdsa-sha2-nistp384
# for backwards compatibility with older securesystemslib releases
elif keytype in ["ecdsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384"]:
sig, scheme = ecdsa_keys.create_signature(public, private, data, scheme)

# 'securesystemslib.formats.ANYKEY_SCHEMA' should have detected invalid key
# types. This is a defensive check against an invalid key type.
else: # pragma: no cover
raise TypeError("Invalid key type.")

# Build the signature dictionary to be returned.
# The hexadecimal representation of 'sig' is stored in the signature.
signature["keyid"] = keyid
signature["sig"] = binascii.hexlify(sig).decode()

return signature


def verify_signature(
key_dict, signature, data
): # pylint: disable=too-many-branches
Expand Down
Loading

0 comments on commit 62d0c93

Please sign in to comment.