Skip to content

Commit 8160f6b

Browse files
lukpuehlukpueh
committed
key: re-structure SlibKey.verify_signature v2
Further re-structure try/except block according to @jku's review comment, for better readability. Move "verify with pyca/crypto" and "verify with vendored ed25519" to separate helpers. Signed-off-by: Lukas Puehringer <[email protected]>
1 parent 73f84e2 commit 8160f6b

File tree

1 file changed

+70
-74
lines changed

1 file changed

+70
-74
lines changed

securesystemslib/signer/_key.py

Lines changed: 70 additions & 74 deletions
Original file line numberDiff line numberDiff line change
@@ -253,85 +253,81 @@ def _get_rsa_padding(
253253

254254
return padding
255255

256+
def _verify_vendored_ed25519(self, signature: bytes, data: bytes) -> None:
257+
"""Helper to verify signature using vendored ed25519 implementation."""
258+
try:
259+
public_bytes = bytes.fromhex(self.keyval["public"])
260+
checkvalid(signature, data, public_bytes)
261+
262+
except SignatureMismatch as e:
263+
raise UnverifiedSignatureError from e
264+
265+
def _verify_cryptography(self, signature: bytes, data: bytes) -> None:
266+
"""Helper to verify signature using pyca/cryptography"""
267+
try:
268+
key: PublicKeyTypes
269+
if self.scheme in [
270+
"rsassa-pss-sha224",
271+
"rsassa-pss-sha256",
272+
"rsassa-pss-sha384",
273+
"rsassa-pss-sha512",
274+
"rsa-pkcs1v15-sha224",
275+
"rsa-pkcs1v15-sha256",
276+
"rsa-pkcs1v15-sha384",
277+
"rsa-pkcs1v15-sha512",
278+
]:
279+
key = cast(RSAPublicKey, self._from_pem())
280+
padding_name, hash_name = self.scheme.split("-")[1:]
281+
hash_algorithm = self._get_hash_algorithm(hash_name)
282+
padding = self._get_rsa_padding(padding_name, hash_algorithm)
283+
key.verify(signature, data, padding, hash_algorithm)
284+
285+
elif self.scheme in [
286+
"ecdsa-sha2-nistp256",
287+
"ecdsa-sha2-nistp384",
288+
]:
289+
key = cast(EllipticCurvePublicKey, self._from_pem())
290+
hash_name = f"sha{self.scheme[-3:]}"
291+
hash_algorithm = self._get_hash_algorithm(hash_name)
292+
signature_algorithm = ECDSA(hash_algorithm)
293+
key.verify(signature, data, signature_algorithm)
294+
295+
elif self.scheme in ["ed25519"]:
296+
public_bytes = bytes.fromhex(self.keyval["public"])
297+
key = Ed25519PublicKey.from_public_bytes(public_bytes)
298+
key.verify(signature, data)
299+
300+
else:
301+
raise ValueError(f"unknown scheme '{self.scheme}'")
302+
303+
except InvalidSignature as e:
304+
raise UnverifiedSignatureError from e
305+
256306
def verify_signature(self, signature: Signature, data: bytes) -> None:
257-
if signature.keyid != self.keyid:
258-
raise VerificationError from ValueError(
259-
f"keyid mismatch: 'key id: {self.keyid}"
260-
f" != signature keyid: {signature.keyid}'"
261-
)
307+
try:
308+
if signature.keyid != self.keyid:
309+
raise ValueError(
310+
f"keyid mismatch: 'key id: {self.keyid}"
311+
f" != signature keyid: {signature.keyid}'"
312+
)
262313

263-
sig = bytes.fromhex(signature.signature)
314+
signature_bytes = bytes.fromhex(signature.signature)
264315

265-
if CRYPTO_IMPORT_ERROR:
266-
try:
316+
if CRYPTO_IMPORT_ERROR:
267317
if self.scheme != "ed25519":
268318
raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)
269319

270-
public_bytes = bytes.fromhex(self.keyval["public"])
271-
checkvalid(sig, data, public_bytes)
320+
return self._verify_vendored_ed25519(signature_bytes, data)
272321

273-
except SignatureMismatch as e:
274-
raise UnverifiedSignatureError(
275-
f"Failed to verify signature by {self.keyid}"
276-
) from e
322+
return self._verify_cryptography(signature_bytes, data)
277323

278-
except Exception as e:
279-
logger.info(
280-
"Key %s failed to verify sig: %s", self.keyid, str(e)
281-
)
282-
raise VerificationError(
283-
f"Unknown failure to verify signature by {self.keyid}"
284-
) from e
285-
286-
else:
287-
try:
288-
key: PublicKeyTypes
289-
if self.scheme in [
290-
"rsassa-pss-sha224",
291-
"rsassa-pss-sha256",
292-
"rsassa-pss-sha384",
293-
"rsassa-pss-sha512",
294-
"rsa-pkcs1v15-sha224",
295-
"rsa-pkcs1v15-sha256",
296-
"rsa-pkcs1v15-sha384",
297-
"rsa-pkcs1v15-sha512",
298-
]:
299-
key = cast(RSAPublicKey, self._from_pem())
300-
padding_name, hash_name = self.scheme.split("-")[1:]
301-
hash_algorithm = self._get_hash_algorithm(hash_name)
302-
padding = self._get_rsa_padding(
303-
padding_name, hash_algorithm
304-
)
305-
key.verify(sig, data, padding, hash_algorithm)
306-
307-
elif self.scheme in [
308-
"ecdsa-sha2-nistp256",
309-
"ecdsa-sha2-nistp384",
310-
]:
311-
key = cast(EllipticCurvePublicKey, self._from_pem())
312-
hash_name = f"sha{self.scheme[-3:]}"
313-
hash_algorithm = self._get_hash_algorithm(hash_name)
314-
signature_algorithm = ECDSA(hash_algorithm)
315-
key.verify(sig, data, signature_algorithm)
316-
317-
elif self.scheme in ["ed25519"]:
318-
public_bytes = bytes.fromhex(self.keyval["public"])
319-
key = Ed25519PublicKey.from_public_bytes(public_bytes)
320-
key.verify(sig, data)
321-
322-
else:
323-
raise ValueError(f"unknown scheme '{self.scheme}'")
324-
325-
# the actual switch for cryptography calls goes here
326-
except InvalidSignature as e:
327-
raise UnverifiedSignatureError(
328-
f"Failed to verify signature by {self.keyid}"
329-
) from e
330-
331-
except Exception as e:
332-
logger.info(
333-
"Key %s failed to verify sig: %s", self.keyid, str(e)
334-
)
335-
raise VerificationError(
336-
f"Unknown failure to verify signature by {self.keyid}"
337-
) from e
324+
except UnverifiedSignatureError as e:
325+
raise UnverifiedSignatureError(
326+
f"Failed to verify signature by {self.keyid}"
327+
) from e
328+
329+
except Exception as e:
330+
logger.info("Key %s failed to verify sig: %s", self.keyid, e)
331+
raise VerificationError(
332+
f"Unknown failure to verify signature by {self.keyid}"
333+
) from e

0 commit comments

Comments
 (0)