Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changelog

## Unreleased

### Deprecated

* `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, and `ecdsa-sha2-nistp521` as
keytype values. Use `ecdsa` instead. (#363)

## securesystemslib v1.4.0

### Fixed
Expand Down
50 changes: 34 additions & 16 deletions securesystemslib/signer/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,23 @@
# ruff: noqa: F401
from securesystemslib.signer._aws_signer import AWSSigner
from securesystemslib.signer._azure_signer import AzureSigner
from securesystemslib.signer._constants import (
ECDSA_SHA2_NISTP256,
ECDSA_SHA2_NISTP384,
ECDSA_SHA2_NISTP521,
ED25519,
KEY_TYPE_ECDSA,
KEY_TYPE_ED25519,
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA224,
RSA_PKCS1V15_SHA256,
RSA_PKCS1V15_SHA384,
RSA_PKCS1V15_SHA512,
RSASSA_PSS_SHA224,
RSASSA_PSS_SHA256,
RSASSA_PSS_SHA384,
RSASSA_PSS_SHA512,
)
from securesystemslib.signer._crypto_signer import CryptoSigner
from securesystemslib.signer._gcp_signer import GCPSigner
from securesystemslib.signer._gpg_signer import GPGKey, GPGSigner
Expand Down Expand Up @@ -47,22 +64,23 @@
# Register supported key types and schemes, and the Keys implementing them
KEY_FOR_TYPE_AND_SCHEME.update(
{
("ecdsa", "ecdsa-sha2-nistp256"): SSlibKey,
("ecdsa", "ecdsa-sha2-nistp384"): SSlibKey,
("ecdsa", "ecdsa-sha2-nistp521"): SSlibKey,
("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp256"): SSlibKey,
("ecdsa-sha2-nistp384", "ecdsa-sha2-nistp384"): SSlibKey,
("ecdsa-sha2-nistp521", "ecdsa-sha2-nistp521"): SSlibKey,
("ed25519", "ed25519"): SSlibKey,
("rsa", "rsassa-pss-sha224"): SSlibKey,
("rsa", "rsassa-pss-sha256"): SSlibKey,
("rsa", "rsassa-pss-sha384"): SSlibKey,
("rsa", "rsassa-pss-sha512"): SSlibKey,
("rsa", "rsa-pkcs1v15-sha224"): SSlibKey,
("rsa", "rsa-pkcs1v15-sha256"): SSlibKey,
("rsa", "rsa-pkcs1v15-sha384"): SSlibKey,
("rsa", "rsa-pkcs1v15-sha512"): SSlibKey,
("rsa", "pgp+rsa-pkcsv1.5"): GPGKey,
(KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256): SSlibKey,
(KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384): SSlibKey,
(KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521): SSlibKey,
# Deprecated: legacy keytype strings (keytype == scheme), use KEY_TYPE_ECDSA
(ECDSA_SHA2_NISTP256, ECDSA_SHA2_NISTP256): SSlibKey,
(ECDSA_SHA2_NISTP384, ECDSA_SHA2_NISTP384): SSlibKey,
(ECDSA_SHA2_NISTP521, ECDSA_SHA2_NISTP521): SSlibKey,
(KEY_TYPE_ED25519, ED25519): SSlibKey,
(KEY_TYPE_RSA, RSASSA_PSS_SHA224): SSlibKey,
(KEY_TYPE_RSA, RSASSA_PSS_SHA256): SSlibKey,
(KEY_TYPE_RSA, RSASSA_PSS_SHA384): SSlibKey,
(KEY_TYPE_RSA, RSASSA_PSS_SHA512): SSlibKey,
(KEY_TYPE_RSA, RSA_PKCS1V15_SHA224): SSlibKey,
(KEY_TYPE_RSA, RSA_PKCS1V15_SHA256): SSlibKey,
(KEY_TYPE_RSA, RSA_PKCS1V15_SHA384): SSlibKey,
(KEY_TYPE_RSA, RSA_PKCS1V15_SHA512): SSlibKey,
(KEY_TYPE_RSA, "pgp+rsa-pkcsv1.5"): GPGKey,
("dsa", "pgp+dsa-fips-180-2"): GPGKey,
("eddsa", "pgp+eddsa-ed25519"): GPGKey,
}
Expand Down
36 changes: 24 additions & 12 deletions securesystemslib/signer/_aws_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,18 @@
UnsupportedAlgorithmError,
UnsupportedLibraryError,
)
from securesystemslib.signer._constants import (
ECDSA_SHA2_NISTP256,
ECDSA_SHA2_NISTP384,
KEY_TYPE_ECDSA,
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA256,
RSA_PKCS1V15_SHA384,
RSA_PKCS1V15_SHA512,
RSASSA_PSS_SHA256,
RSASSA_PSS_SHA384,
RSASSA_PSS_SHA512,
)
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
from securesystemslib.signer._utils import compute_default_keyid
Expand Down Expand Up @@ -66,15 +78,15 @@ class AWSSigner(Signer):
# Ordered dict of securesystemslib schemes to aws signing algorithms
# NOTE: the order matters when choosing a default (see _get_default_scheme)
aws_algos = {
"ecdsa-sha2-nistp256": "ECDSA_SHA_256",
"ecdsa-sha2-nistp384": "ECDSA_SHA_384",
ECDSA_SHA2_NISTP256: "ECDSA_SHA_256",
ECDSA_SHA2_NISTP384: "ECDSA_SHA_384",
# "ecdsa-sha2-nistp521": "ECDSA_SHA_512", # FIXME: needs SSlibKey support
"rsassa-pss-sha256": "RSASSA_PSS_SHA_256",
"rsassa-pss-sha384": "RSASSA_PSS_SHA_384",
"rsassa-pss-sha512": "RSASSA_PSS_SHA_512",
"rsa-pkcs1v15-sha256": "RSASSA_PKCS1_V1_5_SHA_256",
"rsa-pkcs1v15-sha384": "RSASSA_PKCS1_V1_5_SHA_384",
"rsa-pkcs1v15-sha512": "RSASSA_PKCS1_V1_5_SHA_512",
RSASSA_PSS_SHA256: "RSASSA_PSS_SHA_256",
RSASSA_PSS_SHA384: "RSASSA_PSS_SHA_384",
RSASSA_PSS_SHA512: "RSASSA_PSS_SHA_512",
RSA_PKCS1V15_SHA256: "RSASSA_PKCS1_V1_5_SHA_256",
RSA_PKCS1V15_SHA384: "RSASSA_PKCS1_V1_5_SHA_384",
RSA_PKCS1V15_SHA512: "RSASSA_PKCS1_V1_5_SHA_512",
}

def __init__(self, aws_key_id: str, public_key: SSlibKey):
Expand Down Expand Up @@ -118,10 +130,10 @@ def _get_default_scheme(cls, supported_by_key: list[str]) -> str | None:

@staticmethod
def _get_keytype_for_scheme(scheme: str) -> str:
if scheme.startswith("ecdsa"):
return "ecdsa"
if scheme.startswith("rsa"):
return "rsa"
if scheme.startswith(KEY_TYPE_ECDSA):
return KEY_TYPE_ECDSA
if scheme.startswith(KEY_TYPE_RSA):
return KEY_TYPE_RSA
raise RuntimeError

@classmethod
Expand Down
18 changes: 12 additions & 6 deletions securesystemslib/signer/_azure_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@
from urllib import parse

from securesystemslib.exceptions import UnsupportedLibraryError
from securesystemslib.signer._constants import (
ECDSA_SHA2_NISTP256,
ECDSA_SHA2_NISTP384,
ECDSA_SHA2_NISTP521,
KEY_TYPE_ECDSA,
)
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
from securesystemslib.signer._utils import compute_default_keyid
Expand All @@ -30,15 +36,15 @@
)

KEYTYPES_AND_SCHEMES = {
KeyCurveName.p_256: ("ecdsa", "ecdsa-sha2-nistp256"),
KeyCurveName.p_384: ("ecdsa", "ecdsa-sha2-nistp384"),
KeyCurveName.p_521: ("ecdsa", "ecdsa-sha2-nistp521"),
KeyCurveName.p_256: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256),
KeyCurveName.p_384: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP384),
KeyCurveName.p_521: (KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP521),
}

SIGNATURE_ALGORITHMS = {
"ecdsa-sha2-nistp256": SignatureAlgorithm.es256,
"ecdsa-sha2-nistp384": SignatureAlgorithm.es384,
"ecdsa-sha2-nistp521": SignatureAlgorithm.es512,
ECDSA_SHA2_NISTP256: SignatureAlgorithm.es256,
ECDSA_SHA2_NISTP384: SignatureAlgorithm.es384,
ECDSA_SHA2_NISTP521: SignatureAlgorithm.es512,
}


Expand Down
31 changes: 31 additions & 0 deletions securesystemslib/signer/_constants.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
"""Constants for supported key types and signing schemes.

These are used throughout the ``securesystemslib.signer`` package instead of
hardcoded strings. The publicly registered key type and scheme pairs are listed
in ``securesystemslib.signer.KEY_FOR_TYPE_AND_SCHEME``.
"""

# Key types
KEY_TYPE_RSA = "rsa"
KEY_TYPE_ECDSA = "ecdsa"
KEY_TYPE_ED25519 = "ed25519"

# ECDSA schemes
ECDSA_SHA2_NISTP256 = "ecdsa-sha2-nistp256"
ECDSA_SHA2_NISTP384 = "ecdsa-sha2-nistp384"
ECDSA_SHA2_NISTP521 = "ecdsa-sha2-nistp521"

# RSA-PSS schemes
RSASSA_PSS_SHA224 = "rsassa-pss-sha224"
RSASSA_PSS_SHA256 = "rsassa-pss-sha256"
RSASSA_PSS_SHA384 = "rsassa-pss-sha384"
RSASSA_PSS_SHA512 = "rsassa-pss-sha512"

# RSA-PKCS1v15 schemes
RSA_PKCS1V15_SHA224 = "rsa-pkcs1v15-sha224"
RSA_PKCS1V15_SHA256 = "rsa-pkcs1v15-sha256"
RSA_PKCS1V15_SHA384 = "rsa-pkcs1v15-sha384"
RSA_PKCS1V15_SHA512 = "rsa-pkcs1v15-sha512"

# Ed25519
ED25519 = "ed25519"
45 changes: 30 additions & 15 deletions securesystemslib/signer/_crypto_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,21 @@
from urllib import parse

from securesystemslib.exceptions import UnsupportedLibraryError
from securesystemslib.signer._constants import (
ECDSA_SHA2_NISTP256,
ED25519,
KEY_TYPE_ECDSA,
KEY_TYPE_ED25519,
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA224,
RSA_PKCS1V15_SHA256,
RSA_PKCS1V15_SHA384,
RSA_PKCS1V15_SHA512,
RSASSA_PSS_SHA224,
RSASSA_PSS_SHA256,
RSASSA_PSS_SHA384,
RSASSA_PSS_SHA512,
)
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signature import Signature
from securesystemslib.signer._signer import SecretsHandler, Signer
Expand Down Expand Up @@ -73,7 +88,7 @@ class _NoSignArgs:

# for backwards compat: use when spec-deprecated keytype ecdsa-sha2-nistp256
# should be accepted in addition to "ecdsa"
_ECDSA_KEYTYPES = ["ecdsa", "ecdsa-sha2-nistp256"]
_ECDSA_KEYTYPES = [KEY_TYPE_ECDSA, ECDSA_SHA2_NISTP256]


def _get_rsa_padding(name: str, hash_algorithm: "HashAlgorithm") -> "AsymmetricPadding":
Expand Down Expand Up @@ -126,15 +141,15 @@ def __init__(
self._private_key: PrivateKeyTypes
self._sign_args: _RSASignArgs | _ECDSASignArgs | _NoSignArgs

if public_key.keytype == "rsa" and public_key.scheme in [
"rsassa-pss-sha224",
"rsassa-pss-sha256",
"rsassa-pss-sha384",
"rsassa-pss-sha512",
"rsa-pkcs1v15-sha224",
"rsa-pkcs1v15-sha256",
"rsa-pkcs1v15-sha384",
"rsa-pkcs1v15-sha512",
if public_key.keytype == KEY_TYPE_RSA and public_key.scheme in [
RSASSA_PSS_SHA224,
RSASSA_PSS_SHA256,
RSASSA_PSS_SHA384,
RSASSA_PSS_SHA512,
RSA_PKCS1V15_SHA224,
RSA_PKCS1V15_SHA256,
RSA_PKCS1V15_SHA384,
RSA_PKCS1V15_SHA512,
]:
if not isinstance(private_key, RSAPrivateKey):
raise ValueError(f"invalid rsa key: {type(private_key)}")
Expand All @@ -150,7 +165,7 @@ def __init__(

elif (
public_key.keytype in _ECDSA_KEYTYPES
and public_key.scheme == "ecdsa-sha2-nistp256"
and public_key.scheme == ECDSA_SHA2_NISTP256
):
if not isinstance(private_key, EllipticCurvePrivateKey):
raise ValueError(f"invalid ecdsa key: {type(private_key)}")
Expand All @@ -159,7 +174,7 @@ def __init__(
self._sign_args = _ECDSASignArgs(signature_algorithm)
self._private_key = private_key

elif public_key.keytype == "ed25519" and public_key.scheme == "ed25519":
elif public_key.keytype == KEY_TYPE_ED25519 and public_key.scheme == ED25519:
if not isinstance(private_key, Ed25519PrivateKey):
raise ValueError(f"invalid ed25519 key: {type(private_key)}")

Expand Down Expand Up @@ -264,13 +279,13 @@ def generate_ed25519(
raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)

private_key = Ed25519PrivateKey.generate()
public_key = SSlibKey.from_crypto(private_key.public_key(), keyid, "ed25519")
public_key = SSlibKey.from_crypto(private_key.public_key(), keyid, ED25519)
return CryptoSigner(private_key, public_key)

@staticmethod
def generate_rsa(
keyid: str | None = None,
scheme: str | None = "rsassa-pss-sha256",
scheme: str | None = RSASSA_PSS_SHA256,
size: int = 3072,
) -> "CryptoSigner":
"""Generate new key pair as rsa signer.
Expand Down Expand Up @@ -316,7 +331,7 @@ def generate_ecdsa(

private_key = generate_ec_private_key(SECP256R1())
public_key = SSlibKey.from_crypto(
private_key.public_key(), keyid, "ecdsa-sha2-nistp256"
private_key.public_key(), keyid, ECDSA_SHA2_NISTP256
)
return CryptoSigner(private_key, public_key)

Expand Down
50 changes: 30 additions & 20 deletions securesystemslib/signer/_gcp_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@
from urllib import parse

from securesystemslib import exceptions
from securesystemslib.signer._constants import (
ECDSA_SHA2_NISTP256,
ECDSA_SHA2_NISTP384,
KEY_TYPE_ECDSA,
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA256,
RSA_PKCS1V15_SHA512,
RSASSA_PSS_SHA256,
RSASSA_PSS_SHA512,
)
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
from securesystemslib.signer._utils import compute_default_keyid
Expand All @@ -20,44 +30,44 @@

KEYTYPES_AND_SCHEMES = {
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
"ecdsa",
"ecdsa-sha2-nistp256",
KEY_TYPE_ECDSA,
ECDSA_SHA2_NISTP256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
"ecdsa",
"ecdsa-sha2-nistp384",
KEY_TYPE_ECDSA,
ECDSA_SHA2_NISTP384,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
"rsa",
"rsassa-pss-sha256",
KEY_TYPE_RSA,
RSASSA_PSS_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
"rsa",
"rsassa-pss-sha256",
KEY_TYPE_RSA,
RSASSA_PSS_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
"rsa",
"rsassa-pss-sha256",
KEY_TYPE_RSA,
RSASSA_PSS_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
"rsa",
"rsassa-pss-sha512",
KEY_TYPE_RSA,
RSASSA_PSS_SHA512,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
"rsa",
"rsa-pkcs1v15-sha256",
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
"rsa",
"rsa-pkcs1v15-sha256",
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
"rsa",
"rsa-pkcs1v15-sha256",
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA256,
),
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
"rsa",
"rsa-pkcs1v15-sha512",
KEY_TYPE_RSA,
RSA_PKCS1V15_SHA512,
),
}
except ImportError:
Expand Down
Loading