Skip to content

Commit

Permalink
Merge pull request #53 from vladimir-v-diaz/verify_keyids_fix_issue#51
Browse files Browse the repository at this point in the history
Verify that KEYIDs match for issue #51
  • Loading branch information
vladimir-v-diaz authored Sep 19, 2017
2 parents 6b0e825 + ff97abb commit 38d82de
Showing 2 changed files with 28 additions and 6 deletions.
26 changes: 20 additions & 6 deletions securesystemslib/keys.py
Original file line number Diff line number Diff line change
@@ -988,8 +988,8 @@ def verify_signature(key_dict, signature, data):
Conformant to 'securesystemslib.formats.SIGNATURE_SCHEMA'.
data:
Data object used by securesystemslib.rsa_key.create_signature() to generate
'signature'. 'data' is needed here to verify the signature.
Data object used by securesystemslib.rsa_key.create_signature() to
generate 'signature'. 'data' is needed here to verify the signature.
<Exceptions>
securesystemslib.exceptions.FormatError, raised if either 'key_dict' or
@@ -998,8 +998,11 @@ def verify_signature(key_dict, signature, data):
securesystemslib.exceptions.UnsupportedLibraryError, if an unsupported or
unavailable library is detected.
securesystemslib.exceptions.UnsupportedAlgorithmError. Raised if the
signature scheme specified in 'key_dict' is not supported.
securesystemslib.exceptions.UnsupportedAlgorithmError, if the signature
scheme specified in 'key_dict' is not supported.
securesystemslib.exceptions.CryptoError, if the KEYID in the given
'key_dict' does not match the KEYID in 'signature'.
<Side Effects>
The cryptography library specified in 'settings' called to do the actual
@@ -1018,6 +1021,16 @@ def verify_signature(key_dict, signature, data):
# Does 'signature' have the correct format?
securesystemslib.formats.SIGNATURE_SCHEMA.check_match(signature)

# Verify that the KEYID in 'key_dict' matches the KEYID listed in the
# 'signature'.
if key_dict['keyid'] != signature['keyid']:
raise securesystemslib.exceptions.CryptoError('The KEYID ('
' ' + repr(key_dict['keyid']) + ' ) in the given key does not match'
' the KEYID ( ' + repr(signature['keyid']) + ' ) in the signature.')

else:
logger.debug('The KEYIDs of key_dict and the signature match.')

# Using the public key belonging to 'key_dict'
# (i.e., rsakey_dict['keyval']['public']), verify whether 'signature'
# was produced by key_dict's corresponding private key
@@ -1050,8 +1063,9 @@ def verify_signature(key_dict, signature, data):
' pyca-cryptography if that is available instead.')

else:
valid_signature = securesystemslib.pycrypto_keys.verify_rsa_signature(sig, scheme,
public, data)
valid_signature = securesystemslib.pycrypto_keys.verify_rsa_signature(sig,
scheme, public, data)

elif _RSA_CRYPTO_LIBRARY == 'pyca-cryptography':
if 'pyca-cryptography' not in _available_crypto_libraries: # pragma: no cover
raise securesystemslib.exceptions.UnsupportedLibraryError('Metadata'
8 changes: 8 additions & 0 deletions tests/test_keys.py
Original file line number Diff line number Diff line change
@@ -390,6 +390,14 @@ def test_verify_signature(self):
# Restore
self.rsakey_dict['scheme'] = valid_scheme

# Verify that the KEYIDS of 'key_dict' and 'signature' match.
valid_keyid = self.rsakey_dict['keyid'] = '12345'
self.rsakey_dict['keyid'] = 'bad123'

self.assertRaises(securesystemslib.exceptions.CryptoError,
KEYS.verify_signature, self.rsakey_dict, rsa_signature, DATA)
self.rsakey_dict['keyid'] = valid_keyid

# Passing incorrect number of arguments.
self.assertRaises(TypeError, KEYS.verify_signature)

0 comments on commit 38d82de

Please sign in to comment.