Merge pull request secure-systems-lab#391 from MVrachev/exceptions-re…

…raise Improve handling of errors in securesystemslib.keys.vertify_signature()
lukpueh · Feb 17, 2022 · 075043e · 075043e
2 parents 934fc1b + c4dba90
commit 075043e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/securesystemslib/ecdsa_keys.py b/securesystemslib/ecdsa_keys.py
@@ -311,8 +311,11 @@ def verify_signature(public_key, scheme, signature, data):
   formats.ECDSA_SCHEME_SCHEMA.check_match(scheme)
   formats.ECDSASIGNATURE_SCHEMA.check_match(signature)
 
-  ecdsa_key = load_pem_public_key(public_key.encode('utf-8'),
-      backend=default_backend())
+  try:
+    ecdsa_key = load_pem_public_key(public_key.encode('utf-8'),
+        backend=default_backend())
+  except ValueError as e:
+    raise exceptions.FormatError(f'Failed to load PEM key {public_key}') from e
 
   if not isinstance(ecdsa_key, ec.EllipticCurvePublicKey):
     raise exceptions.FormatError('Invalid ECDSA public'

diff --git a/securesystemslib/keys.py b/securesystemslib/keys.py
@@ -838,7 +838,12 @@ def verify_signature(key_dict, signature, data):
 
   elif keytype == 'ed25519':
     if scheme == 'ed25519':
-      public = binascii.unhexlify(public.encode('utf-8'))
+      try:
+        public = binascii.unhexlify(public.encode('utf-8'))
+      except binascii.Error as e:
+        raise exceptions.FormatError(
+          f'Failed to parse key {public} as hex'
+        ) from e
       valid_signature = ed25519_keys.verify_signature(public,
           scheme, sig, data)
 

diff --git a/tests/test_keys.py b/tests/test_keys.py
@@ -379,6 +379,22 @@ def test_verify_signature(self):
         ed25519_signature, DATA)
     self.assertTrue(verified, "Incorrect signature.")
 
+    # Verify ecdsa key with HEX encoded keyval instead of PEM encoded keyval
+    ecdsa_key = KEYS.generate_ecdsa_key()
+    ecdsa_key['keyval']['public'] = 'abcd'
+    # sig is not important as long as keyid is the same as the one in ecdsa_key
+    sig = {'keyid': ecdsa_key['keyid'], 'sig': 'bb'}
+    with self.assertRaises(securesystemslib.exceptions.FormatError):
+        KEYS.verify_signature(ecdsa_key, sig, b'data')
+
+    # Verify ed25519 key with PEM encoded keyval instead of HEX encoded keyval
+    ed25519 = KEYS.generate_ed25519_key()
+    ed25519['keyval']['public'] = \
+        '-----BEGIN PUBLIC KEY-----\nfoo\n-----END PUBLIC KEY-----\n'
+    # sig is not important as long as keyid is the same as the one in ed25519
+    sig = {'keyid': ed25519['keyid'], 'sig': 'bb'}
+    with self.assertRaises(securesystemslib.exceptions.FormatError):
+        KEYS.verify_signature(ed25519, sig, b'data')
 
 
   def test_create_rsa_encrypted_pem(self):