Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to load stand-alone verification keys #663

Open
lukpueh opened this issue Nov 29, 2023 · 4 comments
Open

Document how to load stand-alone verification keys #663

lukpueh opened this issue Nov 29, 2023 · 4 comments
Labels
documentation

Comments

@lukpueh
Copy link
Member

lukpueh commented Nov 29, 2023

in-toto signature verifying API -- verifylib.in_toto_verify() and Metablock.verify_signature() -- expects a json/dict representation of a public key to be passed as argument. This is useful, if the key is taken directly from in-toto metadata.

However, layout verification keys are not included in in-toto metadata, and need to be loaded from somewhere else, e.g. a public key file.

As in-toto/securesystemslib is deprecating legacy key file formats and functions, we should document other ways of loading verification keys.

The following snippet is used internally by in-toto-verify to load standard PEM/SubjectPublicKeyInfo files using pyca/cryptography and the securesystemslib Key interface:

from cryptography.hazmat.primitives.serialization import  load_pem_public_key
from securesystemslib.signer import SSlibKey

def _load_public_key_from_file(path: str) -> Dict[str, Any]:
    """Internal helper to load key from SubjectPublicKeyInfo/PEM file."""
    with open(path, "rb") as f:
        data = f.read()

    crypto_public_key = load_pem_public_key(data)
    key = SSlibKey.from_crypto(crypto_public_key)

    # Create a key_dict, which is accepted by `verifylib.in_toto_verify` or `Metablock.verify_signature`
    # NOTE: securesystemslib and in-toto key dicts differ:
    # the former don't include the keyid, which the latter require
    key_dict = key.to_dict()
    key_dict["keyid"] = key.keyid

    return key_dict

Preferred solution

  • improve securesystemslib documentation for Signer and Key interfaces, which already implement various ways of loading public keys from different key providers
  • make Key a first-class citizen in in-toto:
    • change in-toto signature verification API to accept Key instances instead of key dictionaries
    • related: change in-toto metadata class model, to load Key instances at metadata deserialisation time
@DarikshaAnsari
Copy link
Contributor

Hey @lukpueh ,
I want to work on this issue. Could you give me some guidance on how to proceed? I have already worked with the signer and keys in a demo project.

@DarikshaAnsari
Copy link
Contributor

"We need to change the verify_signature function in both the Metablock and Metadata classes in metadata.py, as well as the verify_metadata_signatures function in verifylib.py. Additionally, we should update the verifylib.in_toto_verify function call in in-toto-verify.py. Can you confirm if this is the right direction?"

@lukpueh
Copy link
Member Author

lukpueh commented May 27, 2024

Yes, this sounds about right.

@DarikshaAnsari DarikshaAnsari mentioned this issue May 27, 2024
Closed
@DarikshaAnsari
Copy link
Contributor

So we have to use list of key instances instead of key dictionary right??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lukpueh @DarikshaAnsari