SSlibKey: fix ecdsa nistp384 default scheme #763
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added test key pair was created with openssl:
```
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-384 \
-pkeyopt ec_param_enc:named_curve \
-out ecdsa_secp384r1_private.pem
openssl pkey -in ecdsa_secp384r1_private.pem -pubout \
-out ecdsa_secp384r1_public.pem
```
default keyid:
0155661bdf705f621a74f55eef36c9ae041e456141eced7a45d4a1f75ded9ac0
Signed-off-by: Lukas Puehringer <[email protected]>
fixes secure-systems-lab#669 Fix SSlibKey.from_crypto to assign the correct default scheme, for ecdsa nistp384 keys. This includes refactoring from_crypto to use a single switch over pyca/cryptography public key object type, in order to infer securesystemslib "keytype" and default scheme. Previously, only "keytype" was inferred from the key object, and the default scheme then from the keytype. Given that for the same keytype (ecdsa) there can be different default schemes, this needed to be changed. The refactoring also moves the keytype-specific public key value serialization to the same switch. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
commented
Apr 2, 2024
| encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo | ||
| ) | ||
| public_key_value = pem.decode() | ||
| keytype, default_scheme, public_key_value = cls._from_crypto(public_key) |
There was a problem hiding this comment.
I briefly considered to also return the list of supported schemes here, so that we can validate the optionally passed scheme (see a1f5ec2).
But I'll leave this for another PR.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #669
Fix
SSlibKey.from_cryptoto assign the correct default scheme for ecdsa nistp384 keys.This includes refactoring from_crypto to use a single switch over pyca/cryptography public key object type, in order to infer securesystemslib "keytype" and default scheme.
Previously, only "keytype" was inferred from the key object, and the default scheme then from the keytype. Given that for the same keytype (ecdsa) there can be different default schemes, this needed to be changed.
The refactoring also moves the keytype-specific public key value serialization to the same switch.