update python annotations to 3.9

Signed-off-by: NicholasTanz <[email protected]>

pyproject.toml

@@ -37,7 +37,7 @@ classifiers = [
     "Topic :: Security",
     "Topic :: Software Development",
 ]
-requires-python = "~=3.8"
+requires-python = "~=3.9"
 dynamic = ["version"]
 
 [project.urls]

securesystemslib/_gpg/constants.py

@@ -21,7 +21,7 @@
 import os
 import shlex
 import subprocess
-from typing import List, Optional
+from typing import Optional
 
 log = logging.getLogger(__name__)
 
@@ -72,7 +72,7 @@ def have_gpg() -> bool:
     return bool(gpg_command())
 
 
-def gpg_version_command() -> List[str]:
+def gpg_version_command() -> list[str]:
     """Returns the command to get the current GPG version."""
     return shlex.split(f"{gpg_command()} --version")
 
@@ -84,14 +84,14 @@ def gpg_version_command() -> List[str]:
 )
 
 
-def gpg_sign_command(keyarg: str, homearg: str) -> List[str]:
+def gpg_sign_command(keyarg: str, homearg: str) -> list[str]:
     """Returns the command to use GPG to sign STDIN."""
     return shlex.split(
         f"{gpg_command()} --detach-sign --digest-algo SHA256 {keyarg} {homearg}"
     )
 
 
-def gpg_export_pubkey_command(homearg: str, keyid: str) -> List[str]:
+def gpg_export_pubkey_command(homearg: str, keyid: str) -> list[str]:
     """Returns the GPG command to export a public key."""
     return shlex.split(f"{gpg_command()} {homearg} --export {keyid}")
 

securesystemslib/dsse.py

@@ -1,7 +1,7 @@
 """Dead Simple Signing Envelope"""
 
 import logging
-from typing import Any, Dict, List
+from typing import Any
 
 from securesystemslib import exceptions
 from securesystemslib._internal.utils import b64dec, b64enc
@@ -24,7 +24,7 @@ def __init__(
         self,
         payload: bytes,
         payload_type: str,
-        signatures: Dict[str, Signature],
+        signatures: dict[str, Signature],
     ):
         self.payload = payload
         self.payload_type = payload_type
@@ -112,7 +112,7 @@ def sign(self, signer: Signer) -> Signature:
 
         return signature
 
-    def verify(self, keys: List[Key], threshold: int) -> Dict[str, Key]:
+    def verify(self, keys: list[Key], threshold: int) -> dict[str, Key]:
         """Verify the payload with the provided Keys.
 
         Arguments:

securesystemslib/signer/_aws_signer.py

@@ -1,7 +1,7 @@
 """Signer implementation for AWS Key Management Service"""
 
 import logging
-from typing import List, Optional, Tuple
+from typing import Optional
 from urllib import parse
 
 from securesystemslib.exceptions import (
@@ -101,7 +101,7 @@ def from_priv_key_uri(
         return cls(uri.path, public_key)
 
     @classmethod
-    def _get_default_scheme(cls, supported_by_key: List[str]) -> Optional[str]:
+    def _get_default_scheme(cls, supported_by_key: list[str]) -> Optional[str]:
         # Iterate over supported AWS algorithms, pick the **first** that is also
         # supported by the key, and return the related securesystemslib scheme.
         for scheme, algo in cls.aws_algos.items():
@@ -120,7 +120,7 @@ def _get_keytype_for_scheme(scheme: str) -> str:
     @classmethod
     def import_(
         cls, aws_key_id: str, local_scheme: Optional[str] = None
-    ) -> Tuple[str, Key]:
+    ) -> tuple[str, Key]:
         """Loads a key and signer details from AWS KMS.
 
         Returns the private key uri and the public key. This method should only

securesystemslib/signer/_azure_signer.py

@@ -1,7 +1,7 @@
 """Signer implementation for Azure Key Vault"""
 
 import logging
-from typing import Optional, Tuple
+from typing import Optional
 from urllib import parse
 
 import securesystemslib.hash as sslib_hash
@@ -165,7 +165,7 @@ def _get_hash_algorithm(public_key: "Key") -> str:
         raise UnsupportedKeyType("Unsupported curve supplied by key")
 
     @staticmethod
-    def _get_keytype_and_scheme(crv: str) -> Tuple[str, str]:
+    def _get_keytype_and_scheme(crv: str) -> tuple[str, str]:
         if crv == KeyCurveName.p_256:
             return "ecdsa", "ecdsa-sha2-nistp256"
         if crv == KeyCurveName.p_384:
@@ -191,7 +191,7 @@ def from_priv_key_uri(
         return cls(az_key_uri, public_key)
 
     @classmethod
-    def import_(cls, az_vault_name: str, az_key_name: str) -> Tuple[str, Key]:
+    def import_(cls, az_vault_name: str, az_key_name: str) -> tuple[str, Key]:
         """Load key and signer details from KMS
 
         Returns the private key uri and the public key. This method should only

securesystemslib/signer/_gcp_signer.py

@@ -1,7 +1,7 @@
 """Signer implementation for Google Cloud KMS"""
 
 import logging
-from typing import Optional, Tuple
+from typing import Optional
 from urllib import parse
 
 import securesystemslib.hash as sslib_hash
@@ -83,7 +83,7 @@ def from_priv_key_uri(
         return cls(uri.path, public_key)
 
     @classmethod
-    def import_(cls, gcp_keyid: str) -> Tuple[str, Key]:
+    def import_(cls, gcp_keyid: str) -> tuple[str, Key]:
         """Load key and signer details from KMS
 
         Returns the private key uri and the public key. This method should only
@@ -109,7 +109,7 @@ def import_(cls, gcp_keyid: str) -> Tuple[str, Key]:
         return f"{cls.SCHEME}:{gcp_keyid}", public_key
 
     @staticmethod
-    def _get_keytype_and_scheme(algorithm: int) -> Tuple[str, str]:
+    def _get_keytype_and_scheme(algorithm: int) -> tuple[str, str]:
         """Return keytype and scheme for the KMS algorithm enum"""
         keytypes_and_schemes = {
             CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (

securesystemslib/signer/_gpg_signer.py

@@ -1,7 +1,7 @@
 """Signer implementation for OpenPGP"""
 
 import logging
-from typing import Any, Dict, Optional, Tuple
+from typing import Any, Optional
 from urllib import parse
 
 from securesystemslib import exceptions
@@ -32,11 +32,11 @@ class GPGKey(Key):
     """
 
     @classmethod
-    def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "GPGKey":
+    def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> "GPGKey":
         keytype, scheme, keyval = cls._from_dict(key_dict)
         return cls(keyid, keytype, scheme, keyval, key_dict)
 
-    def to_dict(self) -> Dict:
+    def to_dict(self) -> dict:
         return self._to_dict()
 
     def verify_signature(self, signature: Signature, data: bytes) -> None:
@@ -113,20 +113,20 @@ def from_priv_key_uri(
         return cls(public_key, homedir)
 
     @staticmethod
-    def _sig_to_legacy_dict(sig: Signature) -> Dict:
+    def _sig_to_legacy_dict(sig: Signature) -> dict:
         """Helper to convert Signature to internal gpg signature dict format."""
         sig_dict = sig.to_dict()
         sig_dict["signature"] = sig_dict.pop("sig")
         return sig_dict
 
     @staticmethod
-    def _sig_from_legacy_dict(sig_dict: Dict) -> Signature:
+    def _sig_from_legacy_dict(sig_dict: dict) -> Signature:
         """Helper to convert internal gpg signature format to Signature."""
         sig_dict["sig"] = sig_dict.pop("signature")
         return Signature.from_dict(sig_dict)
 
     @staticmethod
-    def _key_to_legacy_dict(key: GPGKey) -> Dict[str, Any]:
+    def _key_to_legacy_dict(key: GPGKey) -> dict[str, Any]:
         """Returns legacy dictionary representation of self."""
         return {
             "keyid": key.keyid,
@@ -137,7 +137,7 @@ def _key_to_legacy_dict(key: GPGKey) -> Dict[str, Any]:
         }
 
     @staticmethod
-    def _key_from_legacy_dict(key_dict: Dict[str, Any]) -> GPGKey:
+    def _key_from_legacy_dict(key_dict: dict[str, Any]) -> GPGKey:
         """Create GPGKey from legacy dictionary representation."""
         keyid = key_dict["keyid"]
         keytype = key_dict["type"]
@@ -147,7 +147,7 @@ def _key_from_legacy_dict(key_dict: Dict[str, Any]) -> GPGKey:
         return GPGKey(keyid, keytype, scheme, keyval)
 
     @classmethod
-    def import_(cls, keyid: str, homedir: Optional[str] = None) -> Tuple[str, Key]:
+    def import_(cls, keyid: str, homedir: Optional[str] = None) -> tuple[str, Key]:
         """Load key and signer details from GnuPG keyring.
 
         NOTE: Information about the key validity (expiration, revocation, etc.)

securesystemslib/signer/_hsm_signer.py

@@ -6,8 +6,9 @@
 """
 
 import binascii
+from collections.abc import Iterator
 from contextlib import contextmanager
-from typing import Dict, Iterator, List, Optional, Tuple
+from typing import Optional
 from urllib import parse
 
 from securesystemslib.exceptions import UnsupportedLibraryError
@@ -125,7 +126,7 @@ def pin_handler(secret: str) -> str:
     def __init__(
         self,
         hsm_keyid: int,
-        token_filter: Dict[str, str],
+        token_filter: dict[str, str],
         public_key: Key,
         pin_handler: SecretsHandler,
     ):
@@ -151,13 +152,13 @@ def public_key(self) -> Key:
         return self._public_key
 
     @staticmethod
-    def _find_pkcs_slot(filters: Dict[str, str]) -> int:
+    def _find_pkcs_slot(filters: dict[str, str]) -> int:
         """Return the PKCS slot with initialized token that matches filter
 
         Raises ValueError if more or less than 1 PKCS slot is found.
         """
         lib = PYKCS11LIB()
-        slots: List[int] = []
+        slots: list[int] = []
         for slot in lib.getSlotList(tokenPresent=True):
             tokeninfo = lib.getTokenInfo(slot)
             if not tokeninfo.flags & PyKCS11.CKF_TOKEN_INITIALIZED:
@@ -183,7 +184,7 @@ def _find_pkcs_slot(filters: Dict[str, str]) -> int:
 
     @staticmethod
     @contextmanager
-    def _get_session(filters: Dict[str, str]) -> Iterator["PyKCS11.Session"]:
+    def _get_session(filters: dict[str, str]) -> Iterator["PyKCS11.Session"]:
         """Context manager to handle a HSM session.
 
         The cryptographic token is selected by filtering by token info fields.
@@ -226,7 +227,7 @@ def _find_key(
     @classmethod
     def _find_key_values(
         cls, session: "PyKCS11.Session", keyid: int
-    ) -> Tuple["ECDomainParameters", bytes]:
+    ) -> tuple["ECDomainParameters", bytes]:
         """Find ecdsa public key values on HSM."""
         key = cls._find_key(session, keyid)
         params, point = session.getAttributeValue(
@@ -235,7 +236,7 @@ def _find_key_values(
         return ECDomainParameters.load(bytes(params)), bytes(point)
 
     @classmethod
-    def _build_token_filter(cls) -> Dict[str, str]:
+    def _build_token_filter(cls) -> dict[str, str]:
         """Builds a token filter for the found cryptographic token.
 
         The filter will include 'label' if one is found on token.
@@ -261,8 +262,8 @@ def _build_token_filter(cls) -> Dict[str, str]:
     def import_(
         cls,
         hsm_keyid: Optional[int] = None,
-        token_filter: Optional[Dict[str, str]] = None,
-    ) -> Tuple[str, SSlibKey]:
+        token_filter: Optional[dict[str, str]] = None,
+    ) -> tuple[str, SSlibKey]:
         """Import public key and signer details from HSM.
 
         Either only one cryptographic token must be present when importing or a

securesystemslib/signer/_key.py

@@ -2,7 +2,7 @@
 
 import logging
 from abc import ABCMeta, abstractmethod
-from typing import Any, Dict, Optional, Tuple, Type, cast
+from typing import Any, Optional, cast
 
 from securesystemslib._vendor.ed25519.ed25519 import (
     SignatureMismatch,
@@ -59,7 +59,7 @@
 
 # NOTE Key dispatch table is defined here so it's usable by Key,
 # but is populated in __init__.py (and can be appended by users).
-KEY_FOR_TYPE_AND_SCHEME: Dict[Tuple[str, str], Type] = {}
+KEY_FOR_TYPE_AND_SCHEME: dict[tuple[str, str], type] = {}
 """Key dispatch table for ``Key.from_dict()``
 
 See ``securesystemslib.signer.KEY_FOR_TYPE_AND_SCHEME`` for default key types
@@ -93,8 +93,8 @@ def __init__(
         keyid: str,
         keytype: str,
         scheme: str,
-        keyval: Dict[str, Any],
-        unrecognized_fields: Optional[Dict[str, Any]] = None,
+        keyval: dict[str, Any],
+        unrecognized_fields: Optional[dict[str, Any]] = None,
     ):
         if not all(
             isinstance(at, str) for at in [keyid, keytype, scheme]
@@ -124,7 +124,7 @@ def __eq__(self, other: Any) -> bool:
 
     @classmethod
     @abstractmethod
-    def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "Key":
+    def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> "Key":
         """Creates ``Key`` object from a serialization dict
 
         Key implementations must override this factory constructor that is used
@@ -145,17 +145,17 @@ def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "Key":
         # NOTE: Explicitly not checking the keytype and scheme types to allow
         # intoto to use (None,None) to lookup GPGKey, see issue #450
         key_impl = KEY_FOR_TYPE_AND_SCHEME[(keytype, scheme)]  # type: ignore
-        return key_impl.from_dict(keyid, key_dict)
+        return key_impl.from_dict(keyid, key_dict)  # type: ignore
 
     @abstractmethod
-    def to_dict(self) -> Dict[str, Any]:
+    def to_dict(self) -> dict[str, Any]:
         """Returns a serialization dict.
 
         Key implementations must override this serialization helper.
         """
         raise NotImplementedError
 
-    def _to_dict(self) -> Dict[str, Any]:
+    def _to_dict(self) -> dict[str, Any]:
         """Serialization helper to add base Key fields to a dict.
 
         Key implementations may call this in their to_dict, which they must
@@ -169,7 +169,7 @@ def _to_dict(self) -> Dict[str, Any]:
         }
 
     @staticmethod
-    def _from_dict(key_dict: Dict[str, Any]) -> Tuple[str, str, Dict[str, Any]]:
+    def _from_dict(key_dict: dict[str, Any]) -> tuple[str, str, dict[str, Any]]:
         """Deserialization helper to pop base Key fields off the dict.
 
         Key implementations may call this in their from_dict, in order to parse
@@ -206,21 +206,21 @@ def __init__(
         keyid: str,
         keytype: str,
         scheme: str,
-        keyval: Dict[str, Any],
-        unrecognized_fields: Optional[Dict[str, Any]] = None,
+        keyval: dict[str, Any],
+        unrecognized_fields: Optional[dict[str, Any]] = None,
     ):
         if "public" not in keyval or not isinstance(keyval["public"], str):
             raise ValueError(f"public key string required for scheme {scheme}")
         super().__init__(keyid, keytype, scheme, keyval, unrecognized_fields)
 
     @classmethod
-    def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "SSlibKey":
+    def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> "SSlibKey":
         keytype, scheme, keyval = cls._from_dict(key_dict)
 
         # All fields left in the key_dict are unrecognized.
         return cls(keyid, keytype, scheme, keyval, key_dict)
 
-    def to_dict(self) -> Dict[str, Any]:
+    def to_dict(self) -> dict[str, Any]:
         return self._to_dict()
 
     def _crypto_key(self) -> "PublicKeyTypes":
@@ -229,7 +229,7 @@ def _crypto_key(self) -> "PublicKeyTypes":
         return load_pem_public_key(public_bytes)
 
     @staticmethod
-    def _from_crypto(public_key: "PublicKeyTypes") -> Tuple[str, str, str]:
+    def _from_crypto(public_key: "PublicKeyTypes") -> tuple[str, str, str]:
         """Return tuple of keytype, default scheme and serialized public key
         value for the passed public key.