secure-systems-lab · lukpueh · Mar 20, 2025 · Mar 19, 2025 · Mar 20, 2025 · Mar 20, 2025
diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py
@@ -2,10 +2,10 @@
 
 from __future__ import annotations
 
+import hashlib
 import logging
 from urllib import parse
 
-import securesystemslib.hash as sslib_hash
 from securesystemslib.exceptions import UnsupportedLibraryError
 from securesystemslib.signer._key import Key, SSlibKey
 from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
@@ -245,7 +245,7 @@ def sign(self, payload: bytes) -> Signature:
             Signature.
         """
 
-        hasher = sslib_hash.digest(self.hash_algorithm)
+        hasher = hashlib.new(self.hash_algorithm)
         hasher.update(payload)
         digest = hasher.digest()
         response = self.crypto_client.sign(self.signature_algorithm, digest)

diff --git a/securesystemslib/signer/_gcp_signer.py b/securesystemslib/signer/_gcp_signer.py
@@ -2,10 +2,10 @@
 
 from __future__ import annotations
 
+import hashlib
 import logging
 from urllib import parse
 
-import securesystemslib.hash as sslib_hash
 from securesystemslib import exceptions
 from securesystemslib.signer._key import Key, SSlibKey
 from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
@@ -180,7 +180,12 @@ def _get_hash_algorithm(public_key: Key) -> str:
             )
 
         # trigger UnsupportedAlgorithm if appropriate
-        _ = sslib_hash.digest(algo)
+        # TODO: deduplicate scheme parsing and improve validation (#594, #766)
+        try:
+            _ = hashlib.new(algo)
+        except (ValueError, TypeError) as e:
+            raise exceptions.UnsupportedAlgorithmError(algo) from e
+
         return algo
 
     def sign(self, payload: bytes) -> Signature:
@@ -198,7 +203,7 @@ def sign(self, payload: bytes) -> Signature:
         # NOTE: request and response can contain CRC32C of the digest/sig:
         # Verifying could be useful but would require another dependency...
 
-        hasher = sslib_hash.digest(self.hash_algorithm)
+        hasher = hashlib.new(self.hash_algorithm)
         hasher.update(payload)
         digest = {self.hash_algorithm: hasher.digest()}
         request = {"name": self.gcp_keyid, "digest": digest}

diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py
@@ -8,12 +8,12 @@
 from __future__ import annotations
 
 import binascii
+import hashlib
 from collections.abc import Iterator
 from contextlib import contextmanager
 from urllib import parse
 
 from securesystemslib.exceptions import UnsupportedLibraryError
-from securesystemslib.hash import digest
 from securesystemslib.signer._key import Key, SSlibKey
 from securesystemslib.signer._signature import Signature
 from securesystemslib.signer._signer import SecretsHandler, Signer
@@ -370,7 +370,7 @@ def sign(self, payload: bytes) -> Signature:
             Signature.
         """
 
-        hasher = digest(algorithm=f"sha{self.public_key.scheme[-3:]}")
+        hasher = hashlib.new(name=f"sha{self.public_key.scheme[-3:]}")
         hasher.update(payload)
 
         pin = self.pin_handler(self.SECRETS_HANDLER_MSG)

diff --git a/securesystemslib/signer/_utils.py b/securesystemslib/signer/_utils.py
@@ -2,11 +2,11 @@
 
 from __future__ import annotations
 
+import hashlib
 from typing import Any
 
 from securesystemslib.exceptions import FormatError
 from securesystemslib.formats import encode_canonical
-from securesystemslib.hash import digest
 
 
 def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:
@@ -22,6 +22,5 @@ def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:
         byte_data: bytes = data.encode("utf-8")
     else:
         raise FormatError("Failed to encode data into canonical json")
-    hasher = digest("sha256")
-    hasher.update(byte_data)
-    return hasher.hexdigest()
+
+    return hashlib.sha256(byte_data).hexdigest()