Skip to content

Commit

Permalink
Merge pull request #556 from lukpueh/improve-key-checks
Browse files Browse the repository at this point in the history 
signer API: improve graceful failure testing and fix thus revealed error handling bug
  • Loading branch information
@jku
jku authored Apr 12, 2023
2 parents f3e3f12 + b1cf437 commit 5c7ef18
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 7 deletions.
1 change: 1 addition & 0 deletions securesystemslib/signer/_key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
exceptions.CryptoError,
exceptions.FormatError,
exceptions.UnsupportedAlgorithmError,
exceptions.UnsupportedLibraryError,
) as e:
logger.info("Key %s failed to verify sig: %s", self.keyid, str(e))
raise exceptions.VerificationError(
Expand Down
60 changes: 53 additions & 7 deletions tests/check_public_interfaces.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@
UnsupportedLibraryError,
VerificationError,
)
from securesystemslib.signer import GPGKey, Signature
from securesystemslib.signer import GPGKey, Key, Signature, SSlibKey
from securesystemslib.signer._sigstore_signer import SigstoreKey


class TestPublicInterfaces(
Expand Down Expand Up @@ -317,13 +318,58 @@ def test_gpg_functions(self):
securesystemslib.gpg.functions.export_pubkey("f00")
self.assertEqual(expected_error_msg, str(ctx.exception))

def test_signer(self):
def test_signer_verify(self):
"""Assert generic VerificationError from UnsupportedLibraryError."""
key = GPGKey("aa", "rsa", "pgp+rsa-pkcsv1.5", {"public": "val"})
sig = Signature("aa", "aaaaaaa", {"other_headers": "aaaaaa"})
with self.assertRaises(VerificationError) as ctx:
key.verify_signature(sig, b"data")
self.assertIsInstance(ctx.exception.__cause__, UnsupportedLibraryError)
keyid = "aa"
sig = Signature(keyid, "aaaaaaaa", {"other_headers": "aaaaaa"})

keys = [
GPGKey(keyid, "rsa", "pgp+rsa-pkcsv1.5", {"public": "val"}),
SSlibKey(keyid, "rsa", "rsa-pkcs1v15-sha512", {"public": "val"}),
SigstoreKey(
keyid,
"sigstore-oidc",
"Fulcio",
{"identity": "val", "issuer": "val"},
),
]

for key in keys:
with self.assertRaises(VerificationError) as ctx:
key.verify_signature(sig, b"data")

self.assertIsInstance(
ctx.exception.__cause__, (UnsupportedLibraryError, ImportError)
)

def test_signer_ed25519_fallback(self):
"""Assert ed25519 signature verification works in pure Python."""
data = b"The quick brown fox jumps over the lazy dog"
keyid = "aaa"
sig = Signature.from_dict(
{
"keyid": keyid,
"sig": "2ec7a5e295fa6265e10f3da7f1a432e7742f041f081b4faecab3a12bf0fc8f366c919c90c267e9ed1dfdeb7a7556b959a96dd0dcfea17da358622d39af36bf09",
}
)

key = Key.from_dict(
keyid,
{
"keytype": "ed25519",
"scheme": "ed25519",
"keyval": {
"public": "beb75c268206554e963c45dcbf3c004140d1cb69bbfe9370ef736f19388c9b26"
},
},
)

self.assertIsNone(key.verify_signature(sig, data))

with self.assertRaises(
securesystemslib.exceptions.UnverifiedSignatureError
):
key.verify_signature(sig, b"NOT DATA")


if __name__ == "__main__":
Expand Down

0 comments on commit 5c7ef18

Please sign in to comment.