Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expect bytes in create_ and verify_signature; do not serialize #162

Merged
merged 1 commit into from
Feb 19, 2019
Merged

Expect bytes in create_ and verify_signature; do not serialize #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 14 additions & 20 deletions securesystemslib/keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -662,7 +662,10 @@ def create_signature(key_dict, data):
The public and private keys are strings in PEM format.

data:
Data object used by create_signature() to generate the signature.
Data to be signed. This should be a bytes object; data should be
encoded/serialized before it is passed here. The same value can be be
passed into securesystemslib.verify_signature() (along with the public
key) to later verify the signature.

<Exceptions>
securesystemslib.exceptions.FormatError, if 'key_dict' is improperly
Expand Down Expand Up @@ -702,17 +705,11 @@ def create_signature(key_dict, data):
keyid = key_dict['keyid']
sig = None

# Convert 'data' to canonical JSON format so that repeatable signatures are
# generated across different platforms and Python key dictionaries. The
# resulting 'data' is a string encoded in UTF-8 and compatible with the input
# expected by the cryptography functions called below.
data = securesystemslib.formats.encode_canonical(data)

if keytype == 'rsa':
if scheme == 'rsassa-pss-sha256':
private = private.replace('\r\n', '\n')
sig, scheme = securesystemslib.pyca_crypto_keys.create_rsa_signature(private,
data.encode('utf-8'), scheme)
sig, scheme = securesystemslib.pyca_crypto_keys.create_rsa_signature(
private, data, scheme)

else:
raise securesystemslib.exceptions.UnsupportedAlgorithmError('Unsupported'
Expand All @@ -721,12 +718,12 @@ def create_signature(key_dict, data):
elif keytype == 'ed25519':
public = binascii.unhexlify(public.encode('utf-8'))
private = binascii.unhexlify(private.encode('utf-8'))
sig, scheme = securesystemslib.ed25519_keys.create_signature(public,
private, data.encode('utf-8'), scheme)
sig, scheme = securesystemslib.ed25519_keys.create_signature(
public, private, data, scheme)

elif keytype == 'ecdsa-sha2-nistp256':
sig, scheme = securesystemslib.ecdsa_keys.create_signature(public, private,
data.encode('utf-8'), scheme)
sig, scheme = securesystemslib.ecdsa_keys.create_signature(
public, private, data, scheme)

# 'securesystemslib.formats.ANYKEY_SCHEMA' should have detected invalid key
# types. This is a defensive check against an invalid key type.
Expand Down Expand Up @@ -795,8 +792,10 @@ def verify_signature(key_dict, signature, data):
Conformant to 'securesystemslib.formats.SIGNATURE_SCHEMA'.

data:
Data object used by securesystemslib.rsa_key.create_signature() to
generate 'signature'. 'data' is needed here to verify the signature.
Data that the signature is expected to be over. This should be a bytes
object; data should be encoded/serialized before it is passed here.)
This is the same value that can be passed into
securesystemslib.create_signature() in order to create the signature.

<Exceptions>
securesystemslib.exceptions.FormatError, raised if either 'key_dict' or
Expand Down Expand Up @@ -846,11 +845,6 @@ def verify_signature(key_dict, signature, data):
scheme = key_dict['scheme']
valid_signature = False

# Convert 'data' to canonical JSON format so that repeatable signatures are
# generated across different platforms and Python key dictionaries. The
# resulting 'data' is a string encoded in UTF-8 and compatible with the input
# expected by the cryptography functions called below.
data = securesystemslib.formats.encode_canonical(data).encode('utf-8')

if keytype == 'rsa':
if scheme == 'rsassa-pss-sha256':
Expand Down
6 changes: 4 additions & 2 deletions tests/test_keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@
KEYS = securesystemslib.keys
FORMAT_ERROR_MSG = 'securesystemslib.exceptions.FormatError was raised!' + \
' Check object\'s format.'
DATA = 'SOME DATA REQUIRING AUTHENTICITY.'
DATA_STR = 'SOME DATA REQUIRING AUTHENTICITY.'
DATA = securesystemslib.formats.encode_canonical(DATA_STR).encode('utf-8')



Expand Down Expand Up @@ -332,7 +333,8 @@ def test_verify_signature(self):
# 'rsa_signature'. Function should return 'False'.

# Modifying 'DATA'.
_DATA = '1111' + DATA + '1111'
_DATA_STR = '1111' + DATA_STR + '1111'
_DATA = securesystemslib.formats.encode_canonical(_DATA_STR).encode('utf-8')

# Verifying the 'signature' of modified '_DATA'.
verified = KEYS.verify_signature(self.rsakey_dict, rsa_signature, _DATA)
Expand Down