Adds keyid_hash_algorithms to returned key objects #37
Conversation
PUBLIC_KEY_SCHEMA used to behave like KEY_SCHEMA (without optional private portion). This commit changes it to behave like the newer ANYKEY_SCHEMA (without optional private portion) which adds an optional keyid_hash_algorithm.
The functions listed below all return key objects that can carry an optional keyid_hash_algorithms field according to their schema. This commit adds the keyid_hash_algorithm field to the returned object of: interface.import_ed25519_privatekey_from_file interface.import_ecdsa_privatekey_from_file keys.generate_ecdsa_key keys.import_rsakey_from_public_pem keys.import_rsakey_from_pem keys.import_ecdsakey_from_private_pem keys.import_ecdsakey_from_public_pem The reason to add this field is to be able to associate a key with e.g. a signature created by that key, but listing a different keyid, because a different keyid hash algorithm was used. By trying all possible algorithms, the key can still be matched.
|
Can you please include a code snippet of the changed behavior, similar to how @Awaad demonstrated the problem in the original issue? |
| @@ -237,10 +237,11 @@ | |||
| keyval = KEYVAL_SCHEMA, | |||
| expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA)) | |||
|
|
|||
| # Like KEY_SCHEMA, but requires keyval's private portion to be not set or empty | |||
| # Like ANYKEY_SCHEMA, but requires keyval's private portion to be not set or empty | |||
There was a problem hiding this comment.
NOTE: I don't see any major issues with this pull request, but I will make minor edits to your pull request for any minor issues. I will share my in-line comments on this pull request for documentation purposes.
This SCHEMA is more like KEY_SCHEMA, since ANYKEY_SCHEMA contains an attribute (keyid) that ANYKEY_SCHEMA doesn't. PUBLIC_KEY_SCHEMA matches KEY_SCHEMA, and will now differ with the keyid_hash_algorithms and keyval attributes.
| @@ -237,10 +237,11 @@ | |||
| keyval = KEYVAL_SCHEMA, | |||
| expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA)) | |||
|
|
|||
| # Like KEY_SCHEMA, but requires keyval's private portion to be not set or empty | |||
| # Like ANYKEY_SCHEMA, but requires keyval's private portion to be not set or empty | |||
| PUBLIC_KEY_SCHEMA = SCHEMA.Object( | |||
| object_name = 'KEY_SCHEMA', | |||
There was a problem hiding this comment.
Wrong object_name. Should be PUBLIC_KEY_SCHEMA.
| @@ -1316,6 +1326,11 @@ def import_rsakey_from_pem(pem): | |||
| rsakey_dict['keyid'] = keyid | |||
| rsakey_dict['keyval'] = key_value | |||
|
|
|||
| # Add "keyid_hash_algorithms" so equal ecdsa keys with | |||
There was a problem hiding this comment.
This should be "so that equal RSA keys ..."
Fixes #36 and, once integrated and TUF is updated to use the new version, theupdateframework/python-tuf#412.
The functions listed below all return key objects that can carry an optional
keyid_hash_algorithmsfield according to their schema. With this PR we always add thekeyid_hash_algorithmfield to the returned object, in:e.g.:
The PR also changes PUBLIC_KEY_SCHEMA to accept the optional
keyid_hash_algorithm(like ANYKEY_SCHEMA).The reason for adding this field is to be able to associate a key with e.g. a signature created by that key, but listing a different keyid, because a different keyid hash algorithm was used. By trying all possible algorithms, the key can still be matched.