Skip to content

Split formating of a ed25519 dict from key generation. #452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Split formating of a ed25519 dict from key generation. #452

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 43 additions & 12 deletions securesystemslib/keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,32 +314,63 @@ def generate_ed25519_key(scheme="ed25519"):
Conforms to 'securesystemslib.formats.ED25519KEY_SCHEMA'.
"""

# Generate the public and private Ed25519 key with the 'pynacl' library.
# Unlike in the verification of Ed25519 signatures, do not fall back to the
# optimized, pure python implementation provided by PyCA. Ed25519 should
# always be generated with a backend like libsodium to prevent side-channel
# attacks.
public, private = ed25519_keys.generate_public_and_private()

return format_ed25519_dict(public, private, scheme=scheme)


def format_ed25519_dict(public: bytes, private: bytes, scheme="ed25519"):
"""
<Purpose>
Formats a ed25519 private key dict.

<Arguments>
public:
Bytes of public key.

private:
Bytes of private key.

scheme:
The signature scheme used by the generated Ed25519 key.

<Exceptions>
None.

<Side Effects>
None.

<Returns>
A dictionary containing the ED25519 keys and other identifying information.
Conforms to 'securesystemslib.formats.ED25519KEY_SCHEMA'.
"""

assert private is None or len(private) == 32 # nosec assert_used
assert len(public) == 32 # nosec assert_used

# Are the arguments properly formatted? If not, raise an
# 'securesystemslib.exceptions.FormatError' exceptions.
formats.ED25519_SIG_SCHEMA.check_match(scheme)

# Begin building the Ed25519 key dictionary.
ed25519_key = {}
keytype = "ed25519"
public = None
private = None

# Generate the public and private Ed25519 key with the 'pynacl' library.
# Unlike in the verification of Ed25519 signatures, do not fall back to the
# optimized, pure python implementation provided by PyCA. Ed25519 should
# always be generated with a backend like libsodium to prevent side-channel
# attacks.
public, private = ed25519_keys.generate_public_and_private()

# Generate the keyid of the Ed25519 key. 'key_value' corresponds to the
# 'keyval' entry of the 'Ed25519KEY_SCHEMA' dictionary. The private key
# information is not included in the generation of the 'keyid' identifier.
key_value = {"public": binascii.hexlify(public).decode(), "private": ""}
keyid = _get_keyid(keytype, scheme, key_value)

# Build the 'ed25519_key' dictionary. Update 'key_value' with the Ed25519
# private key prior to adding 'key_value' to 'ed25519_key'.
key_value["private"] = binascii.hexlify(private).decode()
if private is not None:
# Build the 'ed25519_key' dictionary. Update 'key_value' with the Ed25519
# private key prior to adding 'key_value' to 'ed25519_key'.
key_value["private"] = binascii.hexlify(private).decode()

ed25519_key["keytype"] = keytype
ed25519_key["scheme"] = scheme
Expand Down