Merge pull request secure-systems-lab#780 from NicholasTanz/ValidateKey

validate Key instances in constructor not in deserialization
lukpueh · Apr 15, 2024 · 1b672dc · 1b672dc
2 parents 9720372 + 25d097e
commit 1b672dc
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 7 deletions.
diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py
@@ -200,13 +200,22 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
 class SSlibKey(Key):
     """Key implementation for RSA, Ed25519, ECDSA keys"""
 
+    def __init__(
+        self,
+        keyid: str,
+        keytype: str,
+        scheme: str,
+        keyval: Dict[str, Any],
+        unrecognized_fields: Optional[Dict[str, Any]] = None,
+    ):
+        if "public" not in keyval or not isinstance(keyval["public"], str):
+            raise ValueError(f"public key string required for scheme {scheme}")
+        super().__init__(keyid, keytype, scheme, keyval, unrecognized_fields)
+
     @classmethod
     def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "SSlibKey":
         keytype, scheme, keyval = cls._from_dict(key_dict)
 
-        if "public" not in keyval or not isinstance(keyval["public"], str):
-            raise ValueError(f"public key string required for scheme {scheme}")
-
         # All fields left in the key_dict are unrecognized.
         return cls(keyid, keytype, scheme, keyval, key_dict)
 

diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py
@@ -36,16 +36,24 @@ class SigstoreKey(Key):
     DEFAULT_KEY_TYPE = "sigstore-oidc"
     DEFAULT_SCHEME = "Fulcio"
 
-    @classmethod
-    def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "SigstoreKey":
-        keytype, scheme, keyval = cls._from_dict(key_dict)
-
+    def __init__(
+        self,
+        keyid: str,
+        keytype: str,
+        scheme: str,
+        keyval: Dict[str, Any],
+        unrecognized_fields: Optional[Dict[str, Any]] = None,
+    ):
         for content in ["identity", "issuer"]:
             if content not in keyval or not isinstance(keyval[content], str):
                 raise ValueError(
                     f"{content} string required for scheme {scheme}"
                 )
+        super().__init__(keyid, keytype, scheme, keyval, unrecognized_fields)
 
+    @classmethod
+    def from_dict(cls, keyid: str, key_dict: Dict[str, Any]) -> "SigstoreKey":
+        keytype, scheme, keyval = cls._from_dict(key_dict)
         return cls(keyid, keytype, scheme, keyval, key_dict)
 
     def to_dict(self) -> Dict: