-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Made internal keyids consistent #453
Made internal keyids consistent #453
Conversation
I think this looks ok. Can you confirm if this fixes a practical issue or if it's just a cosmetic fix: even if cryptography sometimes includes whitespace in the pem, why do we care? Does something break? I think roughly everyone agrees that keyids are not ideal: IMO they should not be tied to key content at all and should be just identifiers. If I recall correctly TAP-12 is the attempt at making that the rule in TUF. |
It breaks the tests for importing SSH keys. When one imports a public key to hazmat and exports them to PEM, and one imports a private key to hazmat, converts it to public one and exports to PEM, the PEM reprs differ by a line break character in the end. Currently |
I see. The PR seems fine to me but my suggestion is that you should not expect the keyid to be reproducible like that: I don't think the implementation is very robust so things like modifying values in securesystemslib.settings will break that reproducibility... |
I know, for example base64 reprs of keys usually ignore line breaks, so changing the line wrap width will also break the keyids. Ideally the field should be immediately renamed into an So this PR just relieves some of the sympthoms. |
4e3f646
to
acb823b
Compare
Thanks for the patch, @KOLANICH! I think the patch makes sense, but I wonder if it is all that helpful, given the more substantial issues with keyids discussed above. If this is currently only needed for #451, then I suggest to defer until we know how to proceed with #451. See #451 (comment) |
It is, but I'm not sure that working around the lack of this patch via monkey-patching makes sense. Of course the keyids will be fixed somewhen and all the impls (including |
acb823b
to
3ea7d4b
Compare
Worked around for 1 key type with monkey-patching. https://github.com/KOLANICH/securesystemslib_KOLANICH.py |
3ea7d4b
to
378aa7f
Compare
…e key imported from different sources because of internal usage of PEM serialization an usage of hashsum of such a serialization as an internal keyid. This won't fix all the inconsistency issues, the way keys are hashed to obtain key ids should be completely reworked.
378aa7f
to
7c159c9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I agree with the commit message: No-one seems to be interested enough to actually implement the keyid generation (for all keytypes) in the way current TUF spec defines it -- in other words the spec should be changed to not have the strict requirements and just require that keyids are unique per delegating role. I think in future securesystemslib should make it clear that users should not expect the generated keyids to be any kind of "stable API": it's just a way to get hopefully unique identifiers.
That said, the actual patch seems fine: it only modifies the output from key generation, so should not break code? Let's either merge or not, and then close this PR.
Description of the changes being introduced by the pull request:
It was noticed that internal keyids for ECDSA keys get inconsistent when imported from PEM because
hazmat
either adds nonsignificant whitespaces or not.securesystemlib
currently forms internal keyids by hashing PEM representations (which is IMHO incorrect), so the keyids are affected by nonsignificant changes. This PR just strips the PEM representations of trailing whitespaces. The proper solution to the problem is to generate the keyids from significant portions of keys only and to make them compatible to other impls, but it is not my job.Please verify and check that the pull request fulfils the following requirements: