Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the Signer interface #319

Merged
merged 3 commits into from
Feb 23, 2021

Conversation

MVrachev
Copy link
Collaborator

@MVrachev MVrachev commented Feb 3, 2021

Fixes: theupdateframework/python-tuf#1263

Description of the changes being introduced by the pull request:

Create a Signer interface with the purpose of supporting multiple signing implementations.
Read more on the issue above.

Please verify and check that the pull request fulfils the following requirements:

  • The code follows the Code Style Guidelines
  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

Signed-off-by: Martin Vrachev [email protected]

@coveralls
Copy link

coveralls commented Feb 3, 2021

Coverage Status

Coverage increased (+0.01%) to 98.544% when pulling 4fe7f9b on MVrachev:signer-interface into dff4425 on secure-systems-lab:master.

@MVrachev MVrachev changed the title Signer interface: initial version Signer interface Feb 3, 2021
@MVrachev MVrachev changed the title Signer interface Add the Signer interface Feb 3, 2021
def test_sslib_sign(self):
# Test generation of RSA signatures.
sslib_signer = SSlibSigner(self.rsakey_dict)
rsa_sig_obj = sslib_signer.sign(self.DATA)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like how simple it looks to use, judging by the code so far! 👏🏽

@MVrachev MVrachev force-pushed the signer-interface branch 3 times, most recently from 384a053 to 0285e39 Compare February 9, 2021 16:24
@MVrachev MVrachev marked this pull request as ready for review February 9, 2021 16:24
@MVrachev
Copy link
Collaborator Author

MVrachev commented Feb 9, 2021

This interface is ready for a review @lukpueh!
I will add another pr for the GPGSigner.

Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, @MVrachev. I only pointed out some minor issues, most of which are not really your fault but seem to stem from inaccurate code documentation in this repo.

securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
tests/test_signer.py Outdated Show resolved Hide resolved
tests/test_signer.py Outdated Show resolved Hide resolved
tests/test_signer.py Outdated Show resolved Hide resolved
tests/test_signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
@MVrachev
Copy link
Collaborator Author

MVrachev commented Feb 10, 2021

Updated the pr.

  • I added a new commit fixing the documentation for secureystemslib.keys.create_signature().
  • Added a Signature.from_dict() and a unit test for it.
  • Fixed the wording in the documentation
  • Rewrote the test and made it simpler.

@lukpueh sorry for the obvious mistakes in the tests. I copied a lot from tests/test_keys.py and it seems I did it badly. :D

Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @MVrachev! This is getting better and better. Here are a few more suggestions.

securesystemslib/keys.py Outdated Show resolved Hide resolved
securesystemslib/keys.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
tests/test_signer.py Outdated Show resolved Hide resolved
@MVrachev
Copy link
Collaborator Author

I rebased and squashed the commits where I address @lukpueh comments into the appropriate commits.
I added the ed25519key_dict into the tests and fixed another group of docstring mistakes.

Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should use the same strategy to move away from legacy code style as we do in TUF (see ADR 5). So given that you are adding completely new modules I suggest you also follow the new style guideline, especially in regards to code documentation. What do you think?

securesystemslib/keys.py Outdated Show resolved Hide resolved
@MVrachev
Copy link
Collaborator Author

I think we should use the same strategy to move away from legacy code style as we do in TUF (see ADR 5). So given that you are adding completely new modules I suggest you also follow the new style guideline, especially in regards to code documentation. What do you think?

I thought I should follow the style guidelines in the other parts in securesytemslib.
My reasoning was that in tuf where we write the new API from scratch we should use the new style guidelines, but for files that are in the old folders, we should use the older style guidelines.

It seems I am wrong. I will fix it on Monday.

@lukpueh
Copy link
Member

lukpueh commented Feb 15, 2021

Your reasoning makes perfect sense, @MVrachev, especially if you read ADR 5 together with ADR 3. However, ADR 5 alone even prescribes the new style for "new files" and not only for "new files in a certain new directory".

But regardless of ADR 5, I think it makes a lot of sense to use the new docstring format everywhere especially for classes / functions that should be public API (I even adopted it in an existing module recently, see #288).

I am less passionate about most of the other style recommendations, but to make things easier I would just follow the "new style for new files" rule of thumb.

@MVrachev MVrachev force-pushed the signer-interface branch 2 times, most recently from 645ee74 to 2c403f8 Compare February 16, 2021 14:37
@MVrachev
Copy link
Collaborator Author

I updated the pr with the new style guidelines.

@MVrachev MVrachev force-pushed the signer-interface branch 3 times, most recently from da9148b to af0451d Compare February 17, 2021 11:48
@MVrachev
Copy link
Collaborator Author

I had to force push to resolve conflicts.
I updated the Update doc for ecdsa-sha2-nistp384 schema commit to using a keys_types_set as Trishank suggested.

Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Martin, this looks great, I only left a few comments regarding docstrings (format), and I'd like to kindly ask you to remove the changes you made in securesystemslib/keys.py from this PR. :)

securesystemslib/signer.py Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/signer.py Outdated Show resolved Hide resolved
securesystemslib/keys.py Outdated Show resolved Hide resolved
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
@MVrachev
Copy link
Collaborator Author

MVrachev commented Feb 23, 2021

Updated the pr:

  • replaced ' with " in both signer.py and test_signer.py.
  • fixed some comments
  • addressed all other Lukas comments.

I will need time to get used to the new code style guidelines.
Sorry for creating so much work in reviewing for you @lukpueh.

@lukpueh
Copy link
Member

lukpueh commented Feb 23, 2021

I will need time to get used to the new code style guidelines.
Sorry for creating so much work in reviewing for you @lukpueh.

No worries, I need to look things up in the new guidelines too. ;)

@lukpueh lukpueh merged commit 760523c into secure-systems-lab:master Feb 23, 2021
MVrachev added a commit to MVrachev/tuf that referenced this pull request Feb 24, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Feb 24, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Feb 25, 2021
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easly sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easly retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunatly, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Feb 25, 2021
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
@MVrachev MVrachev mentioned this pull request Feb 25, 2021
3 tasks
@lukpueh lukpueh mentioned this pull request Feb 26, 2021
MVrachev added a commit to MVrachev/tuf that referenced this pull request Feb 26, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Feb 26, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Mar 5, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Mar 5, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Mar 5, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Mar 5, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/tuf that referenced this pull request Mar 9, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
lukpueh pushed a commit to MVrachev/tuf that referenced this pull request Mar 10, 2021
In the securesystemslib pr secure-systems-lab/securesystemslib#319
I added a new Signer interface with the purpose of supporting multiple
signing implementations.
Additionally, I added the SSlibSigner implementation of that interface
which implements the signing operation for rsa, ed25519 and ecdsa
schemes.
With this commit, I integrate the SSlibSigner into the new API in tuf.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Apr 16, 2021
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Jan 18, 2022
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
@di di mentioned this pull request Feb 1, 2022
52 tasks
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Feb 8, 2022
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Jun 27, 2022
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Jul 8, 2022
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
MVrachev added a commit to MVrachev/securesystemslib that referenced this pull request Jul 8, 2022
The GPGSigner is an implementation of the new "Signer" interface
that was merged in secure-systems-lab#319
and could be found in securesystemslib.signer.py

This is the next logical step given that securesystemslib supports GPG
and we want this interface to have implementations for all signature
types which are already supported by securesystemslib.

While implementing the GPGSigner, I wanted to make sure that one can
easily sign a portion of data, receive a Signature object and use the
information stored in that object to verify the signature.

To verifty a GPG signature, one have to use
securesystemslib/gpg/functions.verifty_signature().
There, the signature_object argument should be in the
securesystemslib.formats.GPG_SIGNATURE_SCHEMA format.
I searched for a way to easily retrieve the additional fields in the
GPG_SIGNATURE_SCHEMA -"other_headers" and "info" from the keyid stored
in the "Signature" object returned by the "sign" operation.
Unfortunately, right now there is no function that I can use for that
purpose.
The only option I was left with, was to create a new class:
"GPGSignature" where we can store those additional fields returned
from securesystemslib.gpg.functions.create_signature() which we call
during the "sign" process.

Signed-off-by: Martin Vrachev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support custom signing implementations in Metadata.sign method
5 participants