Adopt sslib keygen interface encryption changes

secure-systems-lab/securesystemslib#288 changes the key generation interface functions to no longer auto-prompt for an encryption password if no password is passed, in order to not suprise the caller with a blocking prompt. The downside of this change is that the keys are stored in plain text per default, which may be mitigated by recommending encryption in the docs. This commit updates related TUF documentation, which always passes an encryption password or shows a prompt. NOTE: The securesystemslib private key import functions do not auto-prompt for decryption passwords either, however TUF only exposes custom wrappers (see repository_lib) that do auto-prompt. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh · Oct 28, 2020 · ff106ea · ff106ea
1 parent 9908f8e
commit ff106ea
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 9 deletions.
diff --git a/docs/TUTORIAL.md b/docs/TUTORIAL.md
@@ -99,10 +99,9 @@ text without prepended symbols is the output of a command.
 >>> generate_and_write_rsa_keypair("root_key", bits=2048, password="password")
 
 # If the key length is unspecified, it defaults to 3072 bits. A length of less
-# than 2048 bits raises an exception. A password may be supplied as an
-# argument, otherwise a user prompt is presented.  If an empty password
-# is entered, the private key is saved unencrypted.
->>> generate_and_write_rsa_keypair("root_key2")
+# than 2048 bits raises an exception. A password may also be supplied on the
+# prompt. If an empty password is entered, the private key is saved unencrypted.
+>>> generate_and_write_rsa_keypair("root_key2", prompt=True)
 Enter a password for the RSA key (/path/to/root_key2):
 Confirm:
 ```
@@ -117,7 +116,7 @@ If a filepath is not given, the KEYID of the generated key is used as the
 filename.  The key files are written to the current working directory.
 ```python
 # Continuing from the previous section . . .
->>> generate_and_write_rsa_keypair()
+>>> generate_and_write_rsa_keypair(prompt=True)
 Enter a password for the encrypted RSA key (/path/to/b5b8de8aeda674bce948fbe82cab07e309d6775fc0ec299199d16746dc2bd54c):
 Confirm:
 ```
@@ -152,7 +151,7 @@ generated from the encrypted PEM string: Bad decrypt. Incorrect password?
 # supplied, otherwise a prompt is presented.  The private key is saved
 # encrypted if a non-empty password is given, and unencrypted if the password
 # is empty.
->>> generate_and_write_ed25519_keypair('ed25519_key')
+>>> generate_and_write_ed25519_keypair('ed25519_key', prompt=True)
 Enter a password for the Ed25519 key (/path/to/ed25519_key):
 Confirm:
 

diff --git a/tests/test_tutorial.py b/tests/test_tutorial.py
@@ -78,7 +78,7 @@ def test_tutorial(self):
     generate_and_write_rsa_keypair('root_key', bits=2048, password='password')
 
     # Skipping user entry of password
-    ## generate_and_write_rsa_keypair('root_key2')
+    ## generate_and_write_rsa_keypair('root_key2', prompt=True)
     generate_and_write_rsa_keypair('root_key2', password='password')
 
     # Tutorial tells users to expect these files to exist:
@@ -109,7 +109,7 @@ def test_tutorial(self):
     # ----- Tutorial Section: Create and Import Ed25519 Keys
 
     # Skipping user entry of password
-    ## generate_and_write_ed25519_keypair('ed25519_key')
+    ## generate_and_write_ed25519_keypair('ed25519_key', prompt=True)
     generate_and_write_ed25519_keypair('ed25519_key', password='password')
 
     public_ed25519_key = import_ed25519_publickey_from_file('ed25519_key.pub')

diff --git a/tuf/README-developer-tools.md b/tuf/README-developer-tools.md
@@ -53,7 +53,7 @@ is the private key.
 
 ```
 >>> from tuf.developer_tool import *
->>> generate_and_write_rsa_keypair("path/to/key")
+>>> generate_and_write_rsa_keypair("path/to/key", prompt=True)
 Enter a password for the RSA key:
 Confirm:
 >>>