From 09473b6d28c3352cc68029c5fa2cc8de26586c7a Mon Sep 17 00:00:00 2001 From: Martin Vrachev Date: Tue, 7 Jul 2020 16:41:22 +0300 Subject: [PATCH] Refactor to use changed format metadata to key In commit b7a15fdee7dee899c098b01fe64d604635b2b132 or pr https://github.com/secure-systems-lab/securesystemslib/pull/227 in securesystemslib I change the function arguments of the format_metadata_to_key function in securesystemslib/keys.py to add the opportunity to use custom keyid hash algorithms without chainging the securesystemslib.settings.HASH_ALGORITHMS variable. With this commit, I make use of the above changes in tuf. Signed-off-by: Martin Vrachev --- tuf/client/updater.py | 3 ++- tuf/keydb.py | 3 ++- tuf/repository_lib.py | 3 ++- tuf/repository_tool.py | 8 ++------ 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 564e285efd..2fc8d3600e 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -952,7 +952,8 @@ def _import_delegations(self, parent_role): # We specify the keyid to ensure that it's the correct keyid # for the key. try: - key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid) + key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid, + keyid_hash_algorithms=keyinfo['keyid_hash_algorithms']) tuf.keydb.add_key(key, repository_name=self.repository_name) diff --git a/tuf/keydb.py b/tuf/keydb.py index 78048b6aac..9489237fdd 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -122,7 +122,8 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # format_metadata_to_key() uses the provided keyid as the default keyid. # All other keyids returned are ignored. - key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) + key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, + keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms']) # Make sure to update key_dict['keyid'] to use one of the other valid # keyids, otherwise add_key() will have no reference to it. diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 4dc3d6c9a3..37620b7516 100644 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -645,7 +645,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']): # Use the keyid found in the delegation - key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid) + key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, + keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms']) # Add 'key_object' to the list of recognized keys. Keys may be shared, # so do not raise an exception if 'key_object' has already been loaded. diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 3a2f4dce28..80acad7096 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -3187,12 +3187,8 @@ def load_repository(repository_directory, repository_name='default', # The repo may have used hashing algorithms for the generated keyids # that doesn't match the client's set of hash algorithms. Make sure # to only used the repo's selected hashing algorithms. - hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS - securesystemslib.settings.HASH_ALGORITHMS = \ - key_metadata['keyid_hash_algorithms'] - key_object, keyids = \ - securesystemslib.keys.format_metadata_to_key(key_metadata) - securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms + key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata, + keyid_hash_algorithms=key_metadata['keyid_hash_algorithms']) try: for keyid in keyids: # pragma: no branch key_object['keyid'] = keyid