Merge pull request secure-systems-lab#771 from lukpueh/rm-sslibsigner

Remove deprecated SSlibSigner and from/to_securesystemslib_key methods

securesystemslib/signer/__init__.py

@@ -24,13 +24,10 @@
     SpxSigner,
     generate_spx_key_pair,
 )
-from securesystemslib.signer._sslib_signer import SSlibSigner
 
 # Register supported private key uri schemes and the Signers implementing them
 SIGNER_FOR_URI_SCHEME.update(
     {
-        SSlibSigner.ENVVAR_URI_SCHEME: SSlibSigner,
-        SSlibSigner.FILE_URI_SCHEME: SSlibSigner,
         GCPSigner.SCHEME: GCPSigner,
         HSMSigner.SCHEME: HSMSigner,
         GPGSigner.SCHEME: GPGSigner,

securesystemslib/signer/_crypto_signer.py

@@ -2,7 +2,7 @@
 
 import logging
 from dataclasses import astuple, dataclass
-from typing import Any, Dict, Optional, Union
+from typing import Optional, Union
 from urllib import parse
 
 from securesystemslib.exceptions import UnsupportedLibraryError
@@ -189,28 +189,6 @@ def __init__(
     def public_key(self) -> Key:
         return self._public_key
 
-    @classmethod
-    def from_securesystemslib_key(
-        cls, key_dict: Dict[str, Any]
-    ) -> "CryptoSigner":
-        """Factory to create CryptoSigner from securesystemslib private key dict."""
-        private = key_dict["keyval"]["private"]
-        public_key = SSlibKey.from_securesystemslib_key(key_dict)
-
-        private_key: PrivateKeyTypes
-        if public_key.keytype in ["rsa"] + _ECDSA_KEYTYPES:
-            private_key = load_pem_private_key(private.encode(), password=None)
-
-        elif public_key.keytype == "ed25519":
-            private_key = Ed25519PrivateKey.from_private_bytes(
-                bytes.fromhex(private)
-            )
-
-        else:
-            raise ValueError(f"unsupported keytype: {public_key.keytype}")
-
-        return CryptoSigner(private_key, public_key)
-
     @classmethod
     def from_priv_key_uri(
         cls,

securesystemslib/signer/_key.py

@@ -200,34 +200,6 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
 class SSlibKey(Key):
     """Key implementation for RSA, Ed25519, ECDSA keys"""
 
-    def to_securesystemslib_key(self) -> Dict[str, Any]:
-        """Internal helper, returns a classic securesystemslib keydict.
-
-        .. deprecated:: 0.28.0
-            Please use ``CryptoSigner`` instead of securesystemslib keydicts.
-        """
-        return {
-            "keyid": self.keyid,
-            "keytype": self.keytype,
-            "scheme": self.scheme,
-            "keyval": self.keyval,
-        }
-
-    @classmethod
-    def from_securesystemslib_key(cls, key_dict: Dict[str, Any]) -> "SSlibKey":
-        """Constructor from classic securesystemslib keydict
-
-        .. deprecated:: 0.28.0
-            Please use ``CryptoSigner`` instead of securesystemslib keydicts.
-        """
-        # ensure possible private keys are not included in keyval
-        return SSlibKey(
-            key_dict["keyid"],
-            key_dict["keytype"],
-            key_dict["scheme"],
-            {"public": key_dict["keyval"]["public"]},
-        )
-
     @classmethod
     def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "SSlibKey":
         keytype, scheme, keyval = cls._from_dict(key_dict)

securesystemslib/signer/_signer.py

@@ -30,7 +30,7 @@ class Signer(metaclass=ABCMeta):
 
     Usage example::
 
-        signer = Signer.from_priv_key_uri("envvar:MYPRIVKEY", pub_key)
+        signer = Signer.from_priv_key_uri(uri, pub_key)
         sig = signer.sign(b"data")
 
     Note that signer implementations may raise errors (during both
@@ -39,11 +39,7 @@ class Signer(metaclass=ABCMeta):
     Applications should use generic try-except here if unexpected raises are
     not an option.
 
-    See ``SIGNER_FOR_URI_SCHEME`` for supported private key URI schemes. The
-    currently supported default schemes are:
-
-    * envvar: see ``SSlibSigner`` for details
-    * file: see ``SSlibSigner`` for details
+    See ``SIGNER_FOR_URI_SCHEME`` for supported private key URI schemes.
 
     Interactive applications may also define a secrets handler that allows
     asking for user secrets if they are needed::
@@ -53,14 +49,8 @@ class Signer(metaclass=ABCMeta):
         def sec_handler(secret_name:str) -> str:
             return getpass(f"Enter {secret_name}: ")
 
-        # user will not be asked for a passphrase for unencrypted key
-        uri = "file:keys/mykey?encrypted=false"
         signer = Signer.from_priv_key_uri(uri, pub_key, sec_handler)
 
-        # user will be asked for a passphrase for encrypted key
-        uri2 = "file:keys/myenckey?encrypted=true"
-        signer2 = Signer.from_priv_key_uri(uri2, pub_key2, sec_handler)
-
     Applications can provide their own Signer and Key implementations::
 
         from securesystemslib.signer import Signer, SIGNER_FOR_URI_SCHEME

tests/test_dsse.py

@@ -2,23 +2,33 @@
 
 import copy
 import unittest
+from pathlib import Path
+
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
 
-import securesystemslib.keys as KEYS
 from securesystemslib.dsse import Envelope
 from securesystemslib.exceptions import VerificationError
-from securesystemslib.signer import Signature, SSlibKey, SSlibSigner
+from securesystemslib.signer import CryptoSigner, Signature
+
+PEMS_DIR = Path(__file__).parent / "data" / "pems"
 
 
 class TestEnvelope(unittest.TestCase):
     """Test metadata interface provided by DSSE envelope."""
 
     @classmethod
     def setUpClass(cls):
-        cls.key_dicts = [
-            KEYS.generate_rsa_key(),
-            KEYS.generate_ed25519_key(),
-            KEYS.generate_ecdsa_key(),
-        ]
+        cls.signers: list[CryptoSigner] = []
+        for keytype in ["rsa", "ecdsa", "ed25519"]:
+            path = PEMS_DIR / f"{keytype}_private.pem"
+
+            with open(path, "rb") as f:
+                data = f.read()
+
+            private_key = load_pem_private_key(data, None)
+            signer = CryptoSigner(private_key)
+
+            cls.signers.append(signer)
 
         cls.signature_dict = {
             "keyid": "11fa391a0ed7a447",
@@ -102,23 +112,14 @@ def test_sign_and_verify(self):
         envelope_obj = Envelope.from_dict(envelope_dict)
 
         key_list = []
-        for key_dict in self.key_dicts:
-            # Test for invalid scheme.
-            valid_scheme = key_dict["scheme"]
-            key_dict["scheme"] = "invalid_scheme"
-            with self.assertRaises(ValueError):
-                signer = SSlibSigner(key_dict)
-
-            # Sign the payload.
-            key_dict["scheme"] = valid_scheme
-            signer = SSlibSigner(key_dict)
+        for signer in self.signers:
             envelope_obj.sign(signer)
 
             # Create a List of "Key" from key_dict.
-            key_list.append(SSlibKey.from_securesystemslib_key(key_dict))
+            key_list.append(signer.public_key)
 
         # Check for signatures of Envelope.
-        self.assertEqual(len(self.key_dicts), len(envelope_obj.signatures))
+        self.assertEqual(len(self.signers), len(envelope_obj.signatures))
         for signature in envelope_obj.signatures.values():
             self.assertIsInstance(signature, Signature)
 
@@ -136,14 +137,12 @@ def test_sign_and_verify(self):
         self.assertEqual(len(verified_keys), len(key_list))
 
         # Test for unknown keys and threshold of 1.
-        new_key_dicts = [
-            KEYS.generate_rsa_key(),
-            KEYS.generate_ed25519_key(),
-            KEYS.generate_ecdsa_key(),
-        ]
         new_key_list = []
-        for key_dict in new_key_dicts:
-            new_key_list.append(SSlibKey.from_securesystemslib_key(key_dict))
+        for key in key_list:
+            new_key = copy.deepcopy(key)
+            # if it has a different keyid, it is a different key in sslib
+            new_key.keyid = reversed(key.keyid)
+            new_key_list.append(new_key)
 
         with self.assertRaises(VerificationError):
             envelope_obj.verify(new_key_list, 1)