Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify and strengthen AWSSigner.import_ #778

Merged
merged 1 commit into from
Apr 15, 2024
Merged

Simplify and strengthen AWSSigner.import_ #778

merged 1 commit into from
Apr 15, 2024
+46 −65

Conversation

lukpueh
Copy link
Member

@lukpueh lukpueh commented Apr 11, 2024
edited
Loading

Simplify

  • remove redundant keytype/scheme switches
  • remove try/except, which catches an exception only to re-raise it

Strengthen

  • choose default scheme based on schemes supported by the key

Roughly implements the algorithm suggested in: #724 (review)

Unrelated changes

  • fix #765 fix typo AND disable scheme until SSlibKey adds support
  • fail in __init__ if public_key.scheme is not in aws_algos

TODO:

  • add tests

Many thanks to @ianhundere for the solid ground work!

@lukpueh
Simplify and strengthen AWSSigner.import_ (WIP)
587cf38 
**Simplify**
- remove redundant keytype/scheme switches
- remove try/except, which catches an exception only to re-raise it

**Strengthen**
- choose default scheme based on schemes supported by the key

Roughly implements the algorithm suggested in:
secure-systems-lab#724 (review)

**Unrelated changes**
- fix secure-systems-lab#765 fix typo AND disable scheme until SSlibKey adds support
- fail in __init__ if public_key.scheme is not in aws_algos

**TODO**
* add tests

Many thanks to @ianhundere for the solid ground work!

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh lukpueh force-pushed the simplify-aws-signer branch from bcfae9d to 587cf38 Compare April 12, 2024 09:21
@lukpueh lukpueh marked this pull request as ready for review April 12, 2024 09:22
@lukpueh
Copy link
Member Author

lukpueh commented Apr 12, 2024

TODO:
add tests

Test coverage is actually pretty good, especially compared to other cloud KMS signers. It tests the full Signer API flow -- import (with and without passed scheme), load, sign, verify (pass and fail) for all supported schemes.

What's missing are tests for some failure cases, like AWS returning an unsupported key, etc. I think we can improve this in a future PRs.

jku
jku approved these changes Apr 12, 2024
View reviewed changes
Copy link
Collaborator

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Re-raising the error wasn't entirely pointless as it added the AWS keyid in the error message but ... I suppose it's reasonable to assume that caller would know what key they were trying to import: it's not like this happens in unexpected situations.

@lukpueh
Copy link
Member Author

lukpueh commented Apr 15, 2024

Re-raising the error wasn't entirely pointless

You are right, it was a bit sneaky of me to not mention this. Apologies!

@lukpueh lukpueh merged commit 420b38c into secure-systems-lab:main Apr 15, 2024
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku jku approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWSSigner: may return *incorrect* ecdsa-sha2-nistp512 scheme
2 participants
@lukpueh @jku