Merge pull request #556 from lukpueh/improve-key-checks

jku · web-flow · commit 5c7ef183189c · 2023-04-12T11:13:57.000+03:00
signer API: improve graceful failure testing and fix thus revealed error handling bug
diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py
@@ -175,6 +175,7 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
             exceptions.CryptoError,
             exceptions.FormatError,
             exceptions.UnsupportedAlgorithmError,
+            exceptions.UnsupportedLibraryError,
         ) as e:
             logger.info("Key %s failed to verify sig: %s", self.keyid, str(e))
             raise exceptions.VerificationError(
diff --git a/tests/check_public_interfaces.py b/tests/check_public_interfaces.py
@@ -43,7 +43,8 @@
     UnsupportedLibraryError,
     VerificationError,
 )
-from securesystemslib.signer import GPGKey, Signature
+from securesystemslib.signer import GPGKey, Key, Signature, SSlibKey
+from securesystemslib.signer._sigstore_signer import SigstoreKey
 
 
 class TestPublicInterfaces(
@@ -317,13 +318,58 @@ def test_gpg_functions(self):
             securesystemslib.gpg.functions.export_pubkey("f00")
         self.assertEqual(expected_error_msg, str(ctx.exception))
 
-    def test_signer(self):
+    def test_signer_verify(self):
         """Assert generic VerificationError from UnsupportedLibraryError."""
-        key = GPGKey("aa", "rsa", "pgp+rsa-pkcsv1.5", {"public": "val"})
-        sig = Signature("aa", "aaaaaaa", {"other_headers": "aaaaaa"})
-        with self.assertRaises(VerificationError) as ctx:
-            key.verify_signature(sig, b"data")
-        self.assertIsInstance(ctx.exception.__cause__, UnsupportedLibraryError)
+        keyid = "aa"
+        sig = Signature(keyid, "aaaaaaaa", {"other_headers": "aaaaaa"})
+
+        keys = [
+            GPGKey(keyid, "rsa", "pgp+rsa-pkcsv1.5", {"public": "val"}),
+            SSlibKey(keyid, "rsa", "rsa-pkcs1v15-sha512", {"public": "val"}),
+            SigstoreKey(
+                keyid,
+                "sigstore-oidc",
+                "Fulcio",
+                {"identity": "val", "issuer": "val"},
+            ),
+        ]
+
+        for key in keys:
+            with self.assertRaises(VerificationError) as ctx:
+                key.verify_signature(sig, b"data")
+
+            self.assertIsInstance(
+                ctx.exception.__cause__, (UnsupportedLibraryError, ImportError)
+            )
+
+    def test_signer_ed25519_fallback(self):
+        """Assert ed25519 signature verification works in pure Python."""
+        data = b"The quick brown fox jumps over the lazy dog"
+        keyid = "aaa"
+        sig = Signature.from_dict(
+            {
+                "keyid": keyid,
+                "sig": "2ec7a5e295fa6265e10f3da7f1a432e7742f041f081b4faecab3a12bf0fc8f366c919c90c267e9ed1dfdeb7a7556b959a96dd0dcfea17da358622d39af36bf09",
+            }
+        )
+
+        key = Key.from_dict(
+            keyid,
+            {
+                "keytype": "ed25519",
+                "scheme": "ed25519",
+                "keyval": {
+                    "public": "beb75c268206554e963c45dcbf3c004140d1cb69bbfe9370ef736f19388c9b26"
+                },
+            },
+        )
+
+        self.assertIsNone(key.verify_signature(sig, data))
+
+        with self.assertRaises(
+            securesystemslib.exceptions.UnverifiedSignatureError
+        ):
+            key.verify_signature(sig, b"NOT DATA")
 
 
 if __name__ == "__main__":
