From b9306a8dbe71d0c73f4a7a4bd501024d77535ffa Mon Sep 17 00:00:00 2001 From: Colm Kilcoin Date: Wed, 29 Mar 2023 22:49:11 -0400 Subject: [PATCH] Drop md5 and sha1 schemes from supported key schemes Related to #512, no changes to keys/ module. --- securesystemslib/formats.py | 10 ++-------- securesystemslib/hash.py | 8 +++----- securesystemslib/keys.py | 4 ---- securesystemslib/signer/__init__.py | 4 ---- tests/test_formats.py | 28 ++++++---------------------- tests/test_hash.py | 22 ---------------------- 6 files changed, 11 insertions(+), 65 deletions(-) diff --git a/securesystemslib/formats.py b/securesystemslib/formats.py index a90becee..8a0e01cd 100755 --- a/securesystemslib/formats.py +++ b/securesystemslib/formats.py @@ -141,8 +141,6 @@ HASHALGORITHMS_SCHEMA = SCHEMA.ListOf( SCHEMA.OneOf( [ - SCHEMA.String("md5"), - SCHEMA.String("sha1"), SCHEMA.String("sha224"), SCHEMA.String("sha256"), SCHEMA.String("sha384"), @@ -252,12 +250,8 @@ # RSA signature schemes. RSA_SCHEME_SCHEMA = SCHEMA.OneOf( [ - SCHEMA.RegularExpression( - r"rsassa-pss-(md5|sha1|sha224|sha256|sha384|sha512)" - ), - SCHEMA.RegularExpression( - r"rsa-pkcs1v15-(md5|sha1|sha224|sha256|sha384|sha512)" - ), + SCHEMA.RegularExpression(r"rsassa-pss-(sha224|sha256|sha384|sha512)"), + SCHEMA.RegularExpression(r"rsa-pkcs1v15-(sha224|sha256|sha384|sha512)"), ] ) diff --git a/securesystemslib/hash.py b/securesystemslib/hash.py index 3a3c2f40..a8ae0f52 100755 --- a/securesystemslib/hash.py +++ b/securesystemslib/hash.py @@ -41,8 +41,6 @@ # Dictionary of `pyca/cryptography` supported hash algorithms. PYCA_DIGEST_OBJECTS_CACHE = { - "md5": _pyca_hashes.MD5, - "sha1": _pyca_hashes.SHA1, "sha224": _pyca_hashes.SHA224, "sha256": _pyca_hashes.SHA256, "sha384": _pyca_hashes.SHA384, @@ -142,7 +140,7 @@ def digest(algorithm=DEFAULT_HASH_ALGORITHM, hash_library=DEFAULT_HASH_LIBRARY): algorithm: - The hash algorithm (e.g., 'md5', 'sha1', 'sha256'). + The hash algorithm (e.g., 'sha256', 'sha512'). hash_library: The crypto library to use for the given hash algorithm (e.g., 'hashlib'). @@ -230,7 +228,7 @@ def digest_fileobject( to update the hash of a digest object to be returned. algorithm: - The hash algorithm (e.g., 'md5', 'sha1', 'sha256'). + The hash algorithm (e.g., 'sha256', 'sha512'). hash_library: The library providing the hash algorithms (e.g., 'hashlib'). @@ -329,7 +327,7 @@ def digest_filename( The filename belonging to the file object to be used. algorithm: - The hash algorithm (e.g., 'md5', 'sha1', 'sha256'). + The hash algorithm (e.g., 'sha256', 'sha512'). hash_library: The library providing the hash algorithms (e.g., 'hashlib'). diff --git a/securesystemslib/keys.py b/securesystemslib/keys.py index dc71198a..33d7f4b3 100755 --- a/securesystemslib/keys.py +++ b/securesystemslib/keys.py @@ -73,14 +73,10 @@ RSA_SIGNATURE_SCHEMES = [ - "rsassa-pss-md5", - "rsassa-pss-sha1", "rsassa-pss-sha224", "rsassa-pss-sha256", "rsassa-pss-sha384", "rsassa-pss-sha512", - "rsa-pkcs1v15-md5", - "rsa-pkcs1v15-sha1", "rsa-pkcs1v15-sha224", "rsa-pkcs1v15-sha256", "rsa-pkcs1v15-sha384", diff --git a/securesystemslib/signer/__init__.py b/securesystemslib/signer/__init__.py index 3830a225..3f43c3c7 100644 --- a/securesystemslib/signer/__init__.py +++ b/securesystemslib/signer/__init__.py @@ -36,14 +36,10 @@ ("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp256"): SSlibKey, ("ecdsa-sha2-nistp384", "ecdsa-sha2-nistp384"): SSlibKey, ("ed25519", "ed25519"): SSlibKey, - ("rsa", "rsassa-pss-md5"): SSlibKey, - ("rsa", "rsassa-pss-sha1"): SSlibKey, ("rsa", "rsassa-pss-sha224"): SSlibKey, ("rsa", "rsassa-pss-sha256"): SSlibKey, ("rsa", "rsassa-pss-sha384"): SSlibKey, ("rsa", "rsassa-pss-sha512"): SSlibKey, - ("rsa", "rsa-pkcs1v15-md5"): SSlibKey, - ("rsa", "rsa-pkcs1v15-sha1"): SSlibKey, ("rsa", "rsa-pkcs1v15-sha224"): SSlibKey, ("rsa", "rsa-pkcs1v15-sha256"): SSlibKey, ("rsa", "rsa-pkcs1v15-sha384"): SSlibKey, diff --git a/tests/test_formats.py b/tests/test_formats.py index 7b9919cf..f9b2d9a5 100755 --- a/tests/test_formats.py +++ b/tests/test_formats.py @@ -107,50 +107,34 @@ def test_schemas(self): {"public": "pubkey", "private": ""}, ), "RSA_SCHEME_SCHEMA_RSASSA_PSS": ( - securesystemslib.formats.RSA_SCHEME_SCHEMA, - "rsassa-pss-md5", - ), - "RSA_SCHEME_SCHEMA_RSASSA_PSS_2": ( - securesystemslib.formats.RSA_SCHEME_SCHEMA, - "rsassa-pss-sha1", - ), - "RSA_SCHEME_SCHEMA_RSASSA_PSS_3": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsassa-pss-sha224", ), - "RSA_SCHEME_SCHEMA_RSASSA_PSS_4": ( + "RSA_SCHEME_SCHEMA_RSASSA_PSS_2": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsassa-pss-sha256", ), - "RSA_SCHEME_SCHEMA_RSASSA_PSS_5": ( + "RSA_SCHEME_SCHEMA_RSASSA_PSS_3": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsassa-pss-sha384", ), - "RSA_SCHEME_SCHEMA_RSASSA_PSS_6": ( + "RSA_SCHEME_SCHEMA_RSASSA_PSS_4": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsassa-pss-sha512", ), "RSA_SCHEME_SCHEMA_PKCS1v15": ( - securesystemslib.formats.RSA_SCHEME_SCHEMA, - "rsa-pkcs1v15-md5", - ), - "RSA_SCHEME_SCHEMA_PKCS1v15_2": ( - securesystemslib.formats.RSA_SCHEME_SCHEMA, - "rsa-pkcs1v15-sha1", - ), - "RSA_SCHEME_SCHEMA_PKCS1v15_3": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsa-pkcs1v15-sha224", ), - "RSA_SCHEME_SCHEMA_PKCS1v15_4": ( + "RSA_SCHEME_SCHEMA_PKCS1v15_2": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsa-pkcs1v15-sha256", ), - "RSA_SCHEME_SCHEMA_PKCS1v15_5": ( + "RSA_SCHEME_SCHEMA_PKCS1v15_3": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsa-pkcs1v15-sha384", ), - "RSA_SCHEME_SCHEMA_PKCS1v15_6": ( + "RSA_SCHEME_SCHEMA_PKCS1v15_4": ( securesystemslib.formats.RSA_SCHEME_SCHEMA, "rsa-pkcs1v15-sha512", ), diff --git a/tests/test_hash.py b/tests/test_hash.py index 04f7654d..b69a1947 100755 --- a/tests/test_hash.py +++ b/tests/test_hash.py @@ -50,8 +50,6 @@ def _run_with_all_algos_and_libs( self, test_func ): # pylint: disable=missing-function-docstring algorithms = [ - "md5", - "sha1", "sha224", "sha256", "sha384", @@ -97,18 +95,6 @@ def _do_algorithm_update( "2b68156e70f71280f7ad021f74620446ee49613a7ed34f5220da7b1dbae9adb2", "2b68156e70f71280f7ad021f74620446ee49613a7ed34f5220da7b1dbae9adb2", ], - "md5": [ - "d41d8cd98f00b204e9800998ecf8427e", - "0cc175b9c0f1b6a831c399e269772661", - "f034e93091235adbb5d2781908e2b313", - "f034e93091235adbb5d2781908e2b313", - ], - "sha1": [ - "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "86f7e437faa5a7fce15d1ddcb9eaeaea377667b8", - "d7bfa42fc62b697bf6cf1cda9af1fb7f40a27817", - "d7bfa42fc62b697bf6cf1cda9af1fb7f40a27817", - ], "sha224": [ "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f", "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5", @@ -155,12 +141,6 @@ def test_blake2b_256_update(self): self._do_algorithm_update, "blake2b-256" ) - def test_md5_update(self): - self._run_with_all_hash_libraries(self._do_algorithm_update, "md5") - - def test_sha1_update(self): - self._run_with_all_hash_libraries(self._do_algorithm_update, "sha1") - def test_sha224_update(self): self._run_with_all_hash_libraries(self._do_algorithm_update, "sha224") @@ -193,8 +173,6 @@ def _do_digest_size( self, library, algorithm ): # pylint: disable=missing-function-docstring digest_sizes = { - "md5": 16, - "sha1": 20, "sha224": 28, "sha256": 32, "sha384": 48,