Add signature base64 encoding in Envelope

PradyumnaKrishna · PradyumnaKrishna · commit 801addd0d7ff · 2023-04-13T11:36:51.000+05:30
As per DSSE spec, Signatures in Envelope should be base64 encoded.
While securesystemslib implementation uses hex signatures for
signing and verifying them. Best way to achieve this by using
base64 encoded signatures externally and not changing any internal
representation of signature.

This commit adds two helper method that encodes and converts
signature into base64 dict and vice versa. Also, testcases are
added and updated as well.

Signed-off-by: Pradyumna Krishna &lt;git@onpy.in&gt;
diff --git a/securesystemslib/dsse.py b/securesystemslib/dsse.py
@@ -59,7 +59,8 @@ def from_dict(cls, data: dict) -> "Envelope":
         payload_type = data["payloadType"]
 
         signatures = [
-            Signature.from_dict(signature) for signature in data["signatures"]
+            Signature.from_base64_dict(signature)
+            for signature in data["signatures"]
         ]
 
         return cls(payload, payload_type, signatures)
@@ -71,7 +72,7 @@ def to_dict(self) -> dict:
             "payload": b64enc(self.payload),
             "payloadType": self.payload_type,
             "signatures": [
-                signature.to_dict() for signature in self.signatures
+                signature.to_base64_dict() for signature in self.signatures
             ],
         }
 
diff --git a/securesystemslib/signer/_signature.py b/securesystemslib/signer/_signature.py
@@ -3,6 +3,8 @@
 import logging
 from typing import Any, Dict, Optional
 
+from securesystemslib._internal.utils import b64dec, b64enc
+
 logger = logging.getLogger(__name__)
 
 
@@ -47,6 +49,31 @@ def __eq__(self, other: Any) -> bool:
             and self.unrecognized_fields == other.unrecognized_fields
         )
 
+    @classmethod
+    def from_base64_dict(cls, signature_dict: Dict) -> "Signature":
+        """Creates a Signature object from its JSON/dict representation
+        containing base64 encoded signature.
+
+        Arguments:
+            signature_dict:
+                A dict containing a valid keyid and a signature.
+                Note that the fields in it should be named "keyid" and "sig"
+                respectively.
+
+        Raises:
+            KeyError: If any of the "keyid" and "sig" fields are missing from
+                the signature_dict.
+
+        Side Effect:
+            Destroys the metadata dict passed by reference.
+
+        Returns:
+            A "Signature" instance.
+        """
+
+        signature_dict["sig"] = b64dec(signature_dict["sig"]).decode("utf-8")
+        return cls.from_dict(signature_dict)
+
     @classmethod
     def from_dict(cls, signature_dict: Dict) -> "Signature":
         """Creates a Signature object from its JSON/dict representation.
@@ -81,3 +108,13 @@ def to_dict(self) -> Dict:
             "sig": self.signature,
             **self.unrecognized_fields,
         }
+
+    def to_base64_dict(self) -> Dict:
+        """Returns the JSON-serializable dictionary representation of self
+        containing base64 encoded signature."""
+
+        return {
+            "keyid": self.keyid,
+            "sig": b64enc(self.signature.encode("utf-8")),
+            **self.unrecognized_fields,
+        }
diff --git a/tests/test_dsse.py b/tests/test_dsse.py
@@ -26,7 +26,7 @@ def setUpClass(cls):
 
         cls.signature_dict = {
             "keyid": "11fa391a0ed7a447",
-            "sig": "30460221009342e4566528fcecf6a7a5",
+            "sig": "MzA0NjAyMjEwMDkzNDJlNDU2NjUyOGZjZWNmNmE3YTU=",
         }
         cls.envelope_dict = {
             "payload": "aGVsbG8gd29ybGQ=",
diff --git a/tests/test_signer.py b/tests/test_signer.py
@@ -453,6 +453,15 @@ def test_signature_from_to_dict(self):
 
         self.assertDictEqual(signature_dict, sig_obj.to_dict())
 
+    def test_signature_from_to_base64_dict(self):
+        signature_dict = {
+            "sig": "MzA0NjAyMjEwMDkzNDJlNDU2NjUyOGZjZWNmNmE3YTVkNTNlYmFjZGIxZGYxNTFlMjQyZjU1Zjg3NzU4ODM0NjljYjAxZGJjNjYwMjIxMDA4NmI0MjZjYzgyNjcwOWFjZmEyYzNmOTIxNDYxMGNiMGE4MzJkYjk0YmJkMjY2ZmQ3YzU5MzlhNDgwNjRhODUx",
+            "keyid": "11fa391a0ed7a447cbfeb4b2667e286fc248f64d5e6d0eeed2e5e23f97f9f714",
+        }
+        sig_obj = Signature.from_base64_dict(copy.copy(signature_dict))
+
+        self.assertDictEqual(signature_dict, sig_obj.to_base64_dict())
+
     def test_signature_eq_(self):
         signature_dict = {
             "sig": "30460221009342e4566528fcecf6a7a5d53ebacdb1df151e242f55f8775883469cb01dbc6602210086b426cc826709acfa2c3f9214610cb0a832db94bbd266fd7c5939a48064a851",

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ def setUpClass(cls):`
`26`	`26`
`27`	`27`	`cls.signature_dict = {`
`28`	`28`	`"keyid": "11fa391a0ed7a447",`
`29`		`- "sig": "30460221009342e4566528fcecf6a7a5",`
	`29`	`+ "sig": "MzA0NjAyMjEwMDkzNDJlNDU2NjUyOGZjZWNmNmE3YTU=",`
`30`	`30`	`}`
`31`	`31`	`cls.envelope_dict = {`
`32`	`32`	`"payload": "aGVsbG8gd29ybGQ=",`