Skip to content

Commit

Permalink
Metadata API: Don't peek into Key internals
Browse files Browse the repository at this point in the history 
There was an attempt at ensuring key content uniqueness in
verify_delegate() by making sure the values corresponding to "public"
keys in Key.keyval dictionaries are unique. This had two issues:
 * it wasn't a security measure: it's not difficult to produce two
   different "public" values of the same key content
 * Spec does not actually guarantee the existence of "public" key in
   the keyval dictionary (the three keys included in the spec just all
   happen to have it)

Luckily the spec does require KEYIDs to be unique so we do not need to
do all this: Just count keyids of keys with verified signatures. Keep
building a Set of keyids as a belt-and-suspenders strategy: Role keyids
are currently guaranteed to be unique but we'd notice here if they
weren't.

Add a logger call for failed verifys: this might useful to figure out
which keys exactly are the issue when a delegate can not be verified.

Signed-off-by: Jussi Kukkonen <[email protected]>
  • Loading branch information
Jussi Kukkonen committed Jul 5, 2021
1 parent d00af4c commit 48b58d9
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions tuf/api/metadata.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"""
import abc
import io
import logging
import tempfile
from collections import OrderedDict
from datetime import datetime, timedelta
Expand Down Expand Up @@ -49,6 +50,8 @@

# pylint: disable=too-many-lines

logger = logging.getLogger(__name__)

# We aim to support SPECIFICATION_VERSION and require the input metadata
# files to have the same major version (the first number) as ours.
SPECIFICATION_VERSION = ["1", "0", "19"]
Expand Down Expand Up @@ -309,10 +312,9 @@ def verify_delegate(
key = keys[keyid]
try:
key.verify_signature(delegate, signed_serializer)
# keyids are unique. Try to make sure the public keys are too
signing_keys.add(key.keyval["public"])
signing_keys.add(key.keyid)
except exceptions.UnsignedMetadataError:
pass
logger.info("Key %s failed to verify %s", keyid, role_name)

if len(signing_keys) < role.threshold:
raise exceptions.UnsignedMetadataError(
Expand Down

0 comments on commit 48b58d9

Please sign in to comment.