diff --git a/securesystemslib/signer/__init__.py b/securesystemslib/signer/__init__.py index d8fbe8d1..10346d84 100644 --- a/securesystemslib/signer/__init__.py +++ b/securesystemslib/signer/__init__.py @@ -8,6 +8,23 @@ # ruff: noqa: F401 from securesystemslib.signer._aws_signer import AWSSigner from securesystemslib.signer._azure_signer import AzureSigner +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + ECDSA_SHA2_NISTP521, + ED25519, + KEY_TYPE_ECDSA, + KEY_TYPE_ED25519, + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, +) from securesystemslib.signer._crypto_signer import CryptoSigner from securesystemslib.signer._gcp_signer import GCPSigner from securesystemslib.signer._gpg_signer import GPGKey, GPGSigner @@ -47,22 +64,22 @@ # Register supported key types and schemes, and the Keys implementing them KEY_FOR_TYPE_AND_SCHEME.update( { - ("ecdsa", "ecdsa-sha2-nistp256"): SSlibKey, - ("ecdsa", "ecdsa-sha2-nistp384"): SSlibKey, - ("ecdsa", "ecdsa-sha2-nistp521"): SSlibKey, - ("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp256"): SSlibKey, - ("ecdsa-sha2-nistp384", "ecdsa-sha2-nistp384"): SSlibKey, - ("ecdsa-sha2-nistp521", "ecdsa-sha2-nistp521"): SSlibKey, - ("ed25519", "ed25519"): SSlibKey, - ("rsa", "rsassa-pss-sha224"): SSlibKey, - ("rsa", "rsassa-pss-sha256"): SSlibKey, - ("rsa", "rsassa-pss-sha384"): SSlibKey, - ("rsa", "rsassa-pss-sha512"): SSlibKey, - ("rsa", "rsa-pkcs1v15-sha224"): SSlibKey, - ("rsa", "rsa-pkcs1v15-sha256"): SSlibKey, - ("rsa", "rsa-pkcs1v15-sha384"): SSlibKey, - ("rsa", "rsa-pkcs1v15-sha512"): SSlibKey, - ("rsa", "pgp+rsa-pkcsv1.5"): GPGKey, + (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256): SSlibKey, + (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384): SSlibKey, + (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521): SSlibKey, + (ECDSA_SHA2_NISTP256, ECDSA_SHA2_NISTP256): SSlibKey, + (ECDSA_SHA2_NISTP384, ECDSA_SHA2_NISTP384): SSlibKey, + (ECDSA_SHA2_NISTP521, ECDSA_SHA2_NISTP521): SSlibKey, + (KEY_TYPE_ED25519, ED25519): SSlibKey, + (KEY_TYPE_RSA, RSASSA_PSS_SHA224): SSlibKey, + (KEY_TYPE_RSA, RSASSA_PSS_SHA256): SSlibKey, + (KEY_TYPE_RSA, RSASSA_PSS_SHA384): SSlibKey, + (KEY_TYPE_RSA, RSASSA_PSS_SHA512): SSlibKey, + (KEY_TYPE_RSA, RSA_PKCS1V15_SHA224): SSlibKey, + (KEY_TYPE_RSA, RSA_PKCS1V15_SHA256): SSlibKey, + (KEY_TYPE_RSA, RSA_PKCS1V15_SHA384): SSlibKey, + (KEY_TYPE_RSA, RSA_PKCS1V15_SHA512): SSlibKey, + (KEY_TYPE_RSA, "pgp+rsa-pkcsv1.5"): GPGKey, ("dsa", "pgp+dsa-fips-180-2"): GPGKey, ("eddsa", "pgp+eddsa-ed25519"): GPGKey, } diff --git a/securesystemslib/signer/_aws_signer.py b/securesystemslib/signer/_aws_signer.py index 57138d3f..9aa97f3e 100644 --- a/securesystemslib/signer/_aws_signer.py +++ b/securesystemslib/signer/_aws_signer.py @@ -10,6 +10,18 @@ UnsupportedAlgorithmError, UnsupportedLibraryError, ) +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + KEY_TYPE_ECDSA, + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, +) from securesystemslib.signer._key import Key, SSlibKey from securesystemslib.signer._signer import SecretsHandler, Signature, Signer from securesystemslib.signer._utils import compute_default_keyid @@ -66,15 +78,15 @@ class AWSSigner(Signer): # Ordered dict of securesystemslib schemes to aws signing algorithms # NOTE: the order matters when choosing a default (see _get_default_scheme) aws_algos = { - "ecdsa-sha2-nistp256": "ECDSA_SHA_256", - "ecdsa-sha2-nistp384": "ECDSA_SHA_384", + ECDSA_SHA2_NISTP256: "ECDSA_SHA_256", + ECDSA_SHA2_NISTP384: "ECDSA_SHA_384", # "ecdsa-sha2-nistp521": "ECDSA_SHA_512", # FIXME: needs SSlibKey support - "rsassa-pss-sha256": "RSASSA_PSS_SHA_256", - "rsassa-pss-sha384": "RSASSA_PSS_SHA_384", - "rsassa-pss-sha512": "RSASSA_PSS_SHA_512", - "rsa-pkcs1v15-sha256": "RSASSA_PKCS1_V1_5_SHA_256", - "rsa-pkcs1v15-sha384": "RSASSA_PKCS1_V1_5_SHA_384", - "rsa-pkcs1v15-sha512": "RSASSA_PKCS1_V1_5_SHA_512", + RSASSA_PSS_SHA256: "RSASSA_PSS_SHA_256", + RSASSA_PSS_SHA384: "RSASSA_PSS_SHA_384", + RSASSA_PSS_SHA512: "RSASSA_PSS_SHA_512", + RSA_PKCS1V15_SHA256: "RSASSA_PKCS1_V1_5_SHA_256", + RSA_PKCS1V15_SHA384: "RSASSA_PKCS1_V1_5_SHA_384", + RSA_PKCS1V15_SHA512: "RSASSA_PKCS1_V1_5_SHA_512", } def __init__(self, aws_key_id: str, public_key: SSlibKey): @@ -118,10 +130,10 @@ def _get_default_scheme(cls, supported_by_key: list[str]) -> str | None: @staticmethod def _get_keytype_for_scheme(scheme: str) -> str: - if scheme.startswith("ecdsa"): - return "ecdsa" - if scheme.startswith("rsa"): - return "rsa" + if scheme.startswith(KEY_TYPE_ECDSA): + return KEY_TYPE_ECDSA + if scheme.startswith(KEY_TYPE_RSA): + return KEY_TYPE_RSA raise RuntimeError @classmethod diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py index 74f44dc4..76e8448c 100644 --- a/securesystemslib/signer/_azure_signer.py +++ b/securesystemslib/signer/_azure_signer.py @@ -7,6 +7,12 @@ from urllib import parse from securesystemslib.exceptions import UnsupportedLibraryError +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + ECDSA_SHA2_NISTP521, + KEY_TYPE_ECDSA, +) from securesystemslib.signer._key import Key, SSlibKey from securesystemslib.signer._signer import SecretsHandler, Signature, Signer from securesystemslib.signer._utils import compute_default_keyid @@ -30,15 +36,15 @@ ) KEYTYPES_AND_SCHEMES = { - KeyCurveName.p_256: ("ecdsa", "ecdsa-sha2-nistp256"), - KeyCurveName.p_384: ("ecdsa", "ecdsa-sha2-nistp384"), - KeyCurveName.p_521: ("ecdsa", "ecdsa-sha2-nistp521"), + KeyCurveName.p_256: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256), + KeyCurveName.p_384: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384), + KeyCurveName.p_521: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521), } SIGNATURE_ALGORITHMS = { - "ecdsa-sha2-nistp256": SignatureAlgorithm.es256, - "ecdsa-sha2-nistp384": SignatureAlgorithm.es384, - "ecdsa-sha2-nistp521": SignatureAlgorithm.es512, + ECDSA_SHA2_NISTP256: SignatureAlgorithm.es256, + ECDSA_SHA2_NISTP384: SignatureAlgorithm.es384, + ECDSA_SHA2_NISTP521: SignatureAlgorithm.es512, } diff --git a/securesystemslib/signer/_constants.py b/securesystemslib/signer/_constants.py new file mode 100644 index 00000000..84d50ea5 --- /dev/null +++ b/securesystemslib/signer/_constants.py @@ -0,0 +1,31 @@ +"""Constants for supported key types and signing schemes. + +These are used throughout the ``securesystemslib.signer`` package instead of +hardcoded strings. The publicly registered key type and scheme pairs are listed +in ``securesystemslib.signer.KEY_FOR_TYPE_AND_SCHEME``. +""" + +# Key types +KEY_TYPE_RSA = "rsa" +KEY_TYPE_ECDSA = "ecdsa" +KEY_TYPE_ED25519 = "ed25519" + +# ECDSA schemes +ECDSA_SHA2_NISTP256 = "ecdsa-sha2-nistp256" +ECDSA_SHA2_NISTP384 = "ecdsa-sha2-nistp384" +ECDSA_SHA2_NISTP521 = "ecdsa-sha2-nistp521" + +# RSA-PSS schemes +RSASSA_PSS_SHA224 = "rsassa-pss-sha224" +RSASSA_PSS_SHA256 = "rsassa-pss-sha256" +RSASSA_PSS_SHA384 = "rsassa-pss-sha384" +RSASSA_PSS_SHA512 = "rsassa-pss-sha512" + +# RSA-PKCS1v15 schemes +RSA_PKCS1V15_SHA224 = "rsa-pkcs1v15-sha224" +RSA_PKCS1V15_SHA256 = "rsa-pkcs1v15-sha256" +RSA_PKCS1V15_SHA384 = "rsa-pkcs1v15-sha384" +RSA_PKCS1V15_SHA512 = "rsa-pkcs1v15-sha512" + +# Ed25519 +ED25519 = "ed25519" diff --git a/securesystemslib/signer/_crypto_signer.py b/securesystemslib/signer/_crypto_signer.py index 326c6762..f4799d8b 100644 --- a/securesystemslib/signer/_crypto_signer.py +++ b/securesystemslib/signer/_crypto_signer.py @@ -6,6 +6,21 @@ from urllib import parse from securesystemslib.exceptions import UnsupportedLibraryError +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ED25519, + KEY_TYPE_ECDSA, + KEY_TYPE_ED25519, + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, +) from securesystemslib.signer._key import Key, SSlibKey from securesystemslib.signer._signature import Signature from securesystemslib.signer._signer import SecretsHandler, Signer @@ -73,7 +88,7 @@ class _NoSignArgs: # for backwards compat: use when spec-deprecated keytype ecdsa-sha2-nistp256 # should be accepted in addition to "ecdsa" -_ECDSA_KEYTYPES = ["ecdsa", "ecdsa-sha2-nistp256"] +_ECDSA_KEYTYPES = [KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256] def _get_rsa_padding(name: str, hash_algorithm: "HashAlgorithm") -> "AsymmetricPadding": @@ -126,15 +141,15 @@ def __init__( self._private_key: PrivateKeyTypes self._sign_args: _RSASignArgs | _ECDSASignArgs | _NoSignArgs - if public_key.keytype == "rsa" and public_key.scheme in [ - "rsassa-pss-sha224", - "rsassa-pss-sha256", - "rsassa-pss-sha384", - "rsassa-pss-sha512", - "rsa-pkcs1v15-sha224", - "rsa-pkcs1v15-sha256", - "rsa-pkcs1v15-sha384", - "rsa-pkcs1v15-sha512", + if public_key.keytype == KEY_TYPE_RSA and public_key.scheme in [ + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, ]: if not isinstance(private_key, RSAPrivateKey): raise ValueError(f"invalid rsa key: {type(private_key)}") @@ -150,7 +165,7 @@ def __init__( elif ( public_key.keytype in _ECDSA_KEYTYPES - and public_key.scheme == "ecdsa-sha2-nistp256" + and public_key.scheme == ECDSA_SHA2_NISTP256 ): if not isinstance(private_key, EllipticCurvePrivateKey): raise ValueError(f"invalid ecdsa key: {type(private_key)}") @@ -159,7 +174,7 @@ def __init__( self._sign_args = _ECDSASignArgs(signature_algorithm) self._private_key = private_key - elif public_key.keytype == "ed25519" and public_key.scheme == "ed25519": + elif public_key.keytype == KEY_TYPE_ED25519 and public_key.scheme == ED25519: if not isinstance(private_key, Ed25519PrivateKey): raise ValueError(f"invalid ed25519 key: {type(private_key)}") @@ -264,13 +279,13 @@ def generate_ed25519( raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR) private_key = Ed25519PrivateKey.generate() - public_key = SSlibKey.from_crypto(private_key.public_key(), keyid, "ed25519") + public_key = SSlibKey.from_crypto(private_key.public_key(), keyid, ED25519) return CryptoSigner(private_key, public_key) @staticmethod def generate_rsa( keyid: str | None = None, - scheme: str | None = "rsassa-pss-sha256", + scheme: str | None = RSASSA_PSS_SHA256, size: int = 3072, ) -> "CryptoSigner": """Generate new key pair as rsa signer. @@ -316,7 +331,7 @@ def generate_ecdsa( private_key = generate_ec_private_key(SECP256R1()) public_key = SSlibKey.from_crypto( - private_key.public_key(), keyid, "ecdsa-sha2-nistp256" + private_key.public_key(), keyid, ECDSA_SHA2_NISTP256 ) return CryptoSigner(private_key, public_key) diff --git a/securesystemslib/signer/_gcp_signer.py b/securesystemslib/signer/_gcp_signer.py index d8fb4e56..d1100b44 100644 --- a/securesystemslib/signer/_gcp_signer.py +++ b/securesystemslib/signer/_gcp_signer.py @@ -7,6 +7,16 @@ from urllib import parse from securesystemslib import exceptions +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + KEY_TYPE_ECDSA, + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA512, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA512, +) from securesystemslib.signer._key import Key, SSlibKey from securesystemslib.signer._signer import SecretsHandler, Signature, Signer from securesystemslib.signer._utils import compute_default_keyid @@ -20,44 +30,44 @@ KEYTYPES_AND_SCHEMES = { CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: ( - "ecdsa", - "ecdsa-sha2-nistp256", + KEY_TYPE_ECDSA, + ECDSA_SHA2_NISTP256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: ( - "ecdsa", - "ecdsa-sha2-nistp384", + KEY_TYPE_ECDSA, + ECDSA_SHA2_NISTP384, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: ( - "rsa", - "rsassa-pss-sha256", + KEY_TYPE_RSA, + RSASSA_PSS_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: ( - "rsa", - "rsassa-pss-sha256", + KEY_TYPE_RSA, + RSASSA_PSS_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: ( - "rsa", - "rsassa-pss-sha256", + KEY_TYPE_RSA, + RSASSA_PSS_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: ( - "rsa", - "rsassa-pss-sha512", + KEY_TYPE_RSA, + RSASSA_PSS_SHA512, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: ( - "rsa", - "rsa-pkcs1v15-sha256", + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: ( - "rsa", - "rsa-pkcs1v15-sha256", + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: ( - "rsa", - "rsa-pkcs1v15-sha256", + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA256, ), CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: ( - "rsa", - "rsa-pkcs1v15-sha512", + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA512, ), } except ImportError: diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py index 182fda15..94a34d00 100644 --- a/securesystemslib/signer/_hsm_signer.py +++ b/securesystemslib/signer/_hsm_signer.py @@ -14,13 +14,16 @@ from urllib import parse from securesystemslib.exceptions import UnsupportedLibraryError +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + KEY_TYPE_ECDSA, +) from securesystemslib.signer._key import Key, SSlibKey from securesystemslib.signer._signature import Signature from securesystemslib.signer._signer import SecretsHandler, Signer from securesystemslib.signer._utils import compute_default_keyid -_KEY_TYPE_ECDSA = "ecdsa" - CRYPTO_IMPORT_ERROR = None try: from cryptography.hazmat.primitives import serialization @@ -35,10 +38,9 @@ encode_dss_signature, ) - # TODO: Don't hardcode schemes _SCHEME_FOR_CURVE = { - SECP256R1: "ecdsa-sha2-nistp256", - SECP384R1: "ecdsa-sha2-nistp384", + SECP256R1: ECDSA_SHA2_NISTP256, + SECP384R1: ECDSA_SHA2_NISTP384, } _CURVE_NAMES = [curve.name for curve in _SCHEME_FOR_CURVE] @@ -138,8 +140,8 @@ def __init__( raise UnsupportedLibraryError(PYKCS11_IMPORT_ERROR) if public_key.scheme not in [ - "ecdsa-sha2-nistp256", - "ecdsa-sha2-nistp384", + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, ]: raise ValueError(f"unsupported scheme {public_key.scheme}") @@ -220,10 +222,10 @@ def _find_key( ] ) if not keys: - raise ValueError(f"could not find {_KEY_TYPE_ECDSA} key for {keyid}") + raise ValueError(f"could not find {KEY_TYPE_ECDSA} key for {keyid}") if len(keys) > 1: - raise ValueError(f"found more than one {_KEY_TYPE_ECDSA} key for {keyid}") + raise ValueError(f"found more than one {KEY_TYPE_ECDSA} key for {keyid}") return keys[0] @@ -330,8 +332,8 @@ def import_( keyval = {"public": public_pem} scheme = _SCHEME_FOR_CURVE[curve] - keyid = compute_default_keyid(_KEY_TYPE_ECDSA, scheme, keyval) - key = SSlibKey(keyid, _KEY_TYPE_ECDSA, scheme, keyval) + keyid = compute_default_keyid(KEY_TYPE_ECDSA, scheme, keyval) + key = SSlibKey(keyid, KEY_TYPE_ECDSA, scheme, keyval) return uri, key diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py index a45ed4ef..424e8b5d 100644 --- a/securesystemslib/signer/_key.py +++ b/securesystemslib/signer/_key.py @@ -15,6 +15,23 @@ UnverifiedSignatureError, VerificationError, ) +from securesystemslib.signer._constants import ( + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, + ECDSA_SHA2_NISTP521, + ED25519, + KEY_TYPE_ECDSA, + KEY_TYPE_ED25519, + KEY_TYPE_RSA, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, +) from securesystemslib.signer._signature import Signature from securesystemslib.signer._utils import compute_default_keyid @@ -233,20 +250,20 @@ def get_hash_algorithm_name(self) -> str: """Get hash algorithm name for scheme. Raise ValueError if the scheme is not a supported pre-hash scheme.""" if self.scheme in [ - "rsassa-pss-sha224", - "rsassa-pss-sha256", - "rsassa-pss-sha384", - "rsassa-pss-sha512", - "rsa-pkcs1v15-sha224", - "rsa-pkcs1v15-sha256", - "rsa-pkcs1v15-sha384", - "rsa-pkcs1v15-sha512", - "ecdsa-sha2-nistp256", - "ecdsa-sha2-nistp384", + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, + ECDSA_SHA2_NISTP256, + ECDSA_SHA2_NISTP384, ]: return f"sha{self.scheme[-3:]}" - elif self.scheme == "ecdsa-sha2-nistp521": + elif self.scheme == ECDSA_SHA2_NISTP521: return "sha512" raise ValueError(f"method not supported for scheme {self.scheme}") @@ -255,14 +272,14 @@ def get_padding_name(self) -> str: """Get padding name for scheme. Raise ValueError if the scheme is not a supported padded rsa scheme.""" if self.scheme in [ - "rsassa-pss-sha224", - "rsassa-pss-sha256", - "rsassa-pss-sha384", - "rsassa-pss-sha512", - "rsa-pkcs1v15-sha224", - "rsa-pkcs1v15-sha256", - "rsa-pkcs1v15-sha384", - "rsa-pkcs1v15-sha512", + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, ]: return self.scheme.split("-")[1] @@ -302,22 +319,22 @@ def _pem() -> str: ).decode() if isinstance(public_key, RSAPublicKey): - return "rsa", "rsassa-pss-sha256", _pem() + return KEY_TYPE_RSA, RSASSA_PSS_SHA256, _pem() if isinstance(public_key, EllipticCurvePublicKey): if isinstance(public_key.curve, SECP256R1): - return "ecdsa", "ecdsa-sha2-nistp256", _pem() + return KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256, _pem() if isinstance(public_key.curve, SECP384R1): - return "ecdsa", "ecdsa-sha2-nistp384", _pem() + return KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384, _pem() if isinstance(public_key.curve, SECP521R1): - return "ecdsa", "ecdsa-sha2-nistp521", _pem() + return KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521, _pem() raise ValueError(f"unsupported curve '{public_key.curve.name}'") if isinstance(public_key, Ed25519PublicKey): - return "ed25519", "ed25519", _raw() + return KEY_TYPE_ED25519, ED25519, _raw() raise ValueError(f"unsupported key '{type(public_key)}'") @@ -396,15 +413,15 @@ def _validate_curve( try: key: PublicKeyTypes - if self.keytype == "rsa" and self.scheme in [ - "rsassa-pss-sha224", - "rsassa-pss-sha256", - "rsassa-pss-sha384", - "rsassa-pss-sha512", - "rsa-pkcs1v15-sha224", - "rsa-pkcs1v15-sha256", - "rsa-pkcs1v15-sha384", - "rsa-pkcs1v15-sha512", + if self.keytype == KEY_TYPE_RSA and self.scheme in [ + RSASSA_PSS_SHA224, + RSASSA_PSS_SHA256, + RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, + RSA_PKCS1V15_SHA224, + RSA_PKCS1V15_SHA256, + RSA_PKCS1V15_SHA384, + RSA_PKCS1V15_SHA512, ]: key = cast(RSAPublicKey, self._crypto_key()) _validate_type(key, RSAPublicKey) @@ -415,8 +432,8 @@ def _validate_curve( key.verify(signature, data, padding, hash_algorithm) elif ( - self.keytype in ["ecdsa", "ecdsa-sha2-nistp256"] - and self.scheme == "ecdsa-sha2-nistp256" + self.keytype in [KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256] + and self.scheme == ECDSA_SHA2_NISTP256 ): key = cast(EllipticCurvePublicKey, self._crypto_key()) _validate_type(key, EllipticCurvePublicKey) @@ -424,8 +441,8 @@ def _validate_curve( key.verify(signature, data, ECDSA(SHA256())) elif ( - self.keytype in ["ecdsa", "ecdsa-sha2-nistp384"] - and self.scheme == "ecdsa-sha2-nistp384" + self.keytype in [KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384] + and self.scheme == ECDSA_SHA2_NISTP384 ): key = cast(EllipticCurvePublicKey, self._crypto_key()) _validate_type(key, EllipticCurvePublicKey) @@ -433,15 +450,15 @@ def _validate_curve( key.verify(signature, data, ECDSA(SHA384())) elif ( - self.keytype in ["ecdsa", "ecdsa-sha2-nistp521"] - and self.scheme == "ecdsa-sha2-nistp521" + self.keytype in [KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521] + and self.scheme == ECDSA_SHA2_NISTP521 ): key = cast(EllipticCurvePublicKey, self._crypto_key()) _validate_type(key, EllipticCurvePublicKey) _validate_curve(key, SECP521R1) key.verify(signature, data, ECDSA(SHA512())) - elif self.keytype == "ed25519" and self.scheme == "ed25519": + elif self.keytype == KEY_TYPE_ED25519 and self.scheme == ED25519: public_bytes = bytes.fromhex(self.keyval["public"]) key = Ed25519PublicKey.from_public_bytes(public_bytes) key.verify(signature, data) @@ -463,7 +480,7 @@ def verify_signature(self, signature: Signature, data: bytes) -> None: signature_bytes = bytes.fromhex(signature.signature) if CRYPTO_IMPORT_ERROR: - if self.scheme != "ed25519": + if self.scheme != ED25519: raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR) return self._verify_ed25519_fallback(signature_bytes, data)