SSlibKey: make '_from_crypto_public_key' public API and remove 'from_pem' #678
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
November 23, 2023 11:00
Allows more use cases, e.g. create SSlibKey - from pyca/crypto private key (see CryptoSigner), or - from some serialization format, supported by pyca/crypto (see SSlibKey.from_pem) The commit adds tests to check if the interface correctly raises UnsupportedLibraryError if pyca/cryptography is not installed. Functionality is tested implicitly via SSlibKey.from_pem. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The more flexible SSLibKey.from_crypto can be used instead. The additional call to pyca/crypto's "from pem" method can easily be done in application code. This commit updates tests and docs to use from_crypto instead. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 23, 2023
blocks on: - in-toto#649, and - secure-systems-lab/securesystemslib#678 + release --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and uses it in in-toto-verify for keys passed with --subjectPublicKeyInfo. NOTE: uses unreleased securesystemslib API, which **blocks** this PR. SSlibKey is converted to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 23, 2023
blocks on: - in-toto#649, and - secure-systems-lab/securesystemslib#678 + release --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and uses it in in-toto-verify for keys passed with --subjectPublicKeyInfo. NOTE: uses unreleased securesystemslib API, which **blocks** this PR. SSlibKey is converted to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 24, 2023
blocks on: - in-toto#649, and - secure-systems-lab/securesystemslib#678 + release --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and uses it in in-toto-verify for keys passed with --subjectPublicKeyInfo. NOTE: uses unreleased securesystemslib API, which **blocks** this PR. SSlibKey is converted to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 24, 2023
blocks on: - in-toto#649, and - secure-systems-lab/securesystemslib#678 + release --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and convert it to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. in-toto-verify uses this for keys passed with --subjectPublicKeyInfo. NOTE: requires unreleased securesystemslib API, which **blocks** this PR. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Nov 24, 2023
blocks on: - in-toto#649, and - secure-systems-lab/securesystemslib#678 + release --- This is meant as replacement for `--layout-keys`, supporting a consistent standard key file format (subjectPublicKeyInfo/pem). It is part of a series of patches to prepare for deprecation of legacy securesystemslib interfaces and key file formats. **Change details** Adds helper to load public key file as SSlibKey and convert it to its dictionary representation with the keyid included, to make it compatible with verifylib.in_toto_verify. in-toto-verify uses this for keys passed with --subjectPublicKeyInfo. NOTE: requires unreleased securesystemslib API, which **blocks** this PR. In the future we might want to support Key (SSlibKey's base class) natively in in_toto_verify. This PR also adds a deprecation warning for --layout-keys and tests using the demo supply chain. Test public key files come from secure-systems-lab/securesystemslib#604. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
adityasaky
approved these changes
Nov 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #616
This newly public SSlibKey factory allows more flexible usage than the existing
from_pem, which was just a thin wrapper on top of it.Additional use cases are creating a key from an pyca/crypto private key object (see CryptoSigner) or from a different serialization format than PEM.
To keep the API small, this PR removes
from_pem. It seems reasonable to just have application code callpyca/cryptography's "from pem" function themselves.