refactors AWSSigner; scheme no longer required. #724
Conversation
ianhundere
changed the title
There was a problem hiding this comment.
Thanks. I think this is good to merge: it improves import_() in that it can be used without the other argument.
I'll leave some notes below but I am not requesting changes: I have no access to AWS signer so I can't really tell what is smart and what is not.
So just as a comment: the lookup (from-AWS-response-to-securesystemslib-key-type-and-scheme) still looks more complicated than it probably is
- RSA users can now choose the hash length but ECDSA users for some reason cannot?
- the real import_() argument probably should have been
hash_size: Optional[int] = Noneif that's the only real variable. This would be an API change for AWSSigner so maybe the scheme string still makes sense though - then the single lookup function would be
def _get_keytype_and_scheme(aws_response, hash_size) -> Tuple[str, str](ordef _get_keytype_and_scheme(aws_response, scheme_from_user) -> Tuple[str, str]if the import_() argument is the scheme string)
There was a problem hiding this comment.
Sorry for commenting late. I am not a big fan of the new key-type specific argument. It breaks the API and feels inconsistent.
I suggest to keep the local_scheme, make it optional, and use it like so:
get key from aws by keyid
if scheme is passed:
if scheme is not allowed for key
raise
else:
assign default scheme for key
I don't know exactly what schemes are supported for what key, but I expect that for any rsa key in the kms you should be able to use any of the securesystemslib schemes, whereas for ecdsa there is only one scheme per key.
A very brief look at the docs seems to support my assumption.
|
fyi @ianhundere, I've tested AWSSigner with Localstack for the first time today and it works like a charm! 🚀 ❤️ Thanks for your efforts! |
There was a problem hiding this comment.
Thanks for your persistence! It looks like you are still not consistently checking, if the key supports the chosen scheme according to SigningAlgorithms in the response.
As I said, I'm okay, if we improve that in a follow-up PR.
Please address my inline comment and we can merge this (or let me know, if I should address it).
okay, i think that about does it; thanks for all your feedback. 🙇 |
|
Thanks for your continued efforts, @ianhundere! |
**Simplify** - remove redundant keytype/scheme switches - remove try/except, which catches an exception only to re-raise it **Strengthen** - choose default scheme based on schemes supported by the key Roughly implements the algorithm suggested in: secure-systems-lab#724 (review) **Unrelated changes** - fix secure-systems-lab#765 fix typo AND disable scheme until SSlibKey adds support - fail in __init__ if public_key.scheme is not in aws_algos TODO: * add tests Many thanks to @ianhundere for the solid ground work! Signed-off-by: Lukas Puehringer <[email protected]>
**Simplify** - remove redundant keytype/scheme switches - remove try/except, which catches an exception only to re-raise it **Strengthen** - choose default scheme based on schemes supported by the key Roughly implements the algorithm suggested in: secure-systems-lab#724 (review) **Unrelated changes** - fix secure-systems-lab#765 fix typo AND disable scheme until SSlibKey adds support - fail in __init__ if public_key.scheme is not in aws_algos **TODO** * add tests Many thanks to @ianhundere for the solid ground work! Signed-off-by: Lukas Puehringer <[email protected]>
resolves #668
Description of the changes being introduced by the pull request:
This refactors
AWSSignerto no longer requirelocal_scheme, and instead, getsschemefrom AWS' response (e.g.request["SigningAlgorithms"]).ecdsa:
The caveat is that RSA keys have multiple
SigningAlgorithms, so iflocal_schemeis not provided and thekeytypeis rsa thenrsassa-pss-sha256is chosen by default as is the case throughoutsecuresystemslib.rsa:
Also includes updated docs and error handling.
Please verify and check that the pull request fulfills the following requirements:
cc @jku @lukpueh