From 82287e40452dc7de6818d94d1f2f1a8c4cce5bd4 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Tue, 9 Apr 2024 10:04:51 +0200 Subject: [PATCH] Remove migrate key script but keep link in README In preparation for the removal of legacy key interfaces and formats (#731), we provided a key file migration script in docs/ (#658). The script itself uses the legacy interfaces and thus should be removed from the current git tree together with them. This patch removes the script, including tests and test data, but keeps a tagged reference in the README, so that it can still be used with the pre-legacy-removal version of securesystemslib. Signed-off-by: Lukas Puehringer --- README.md | 9 +- docs/migrate_key.py | 127 ---------------- tests/data/legacy/ecdsa_private_encrypted | 1 - tests/data/legacy/ecdsa_private_unencrypted | 1 - tests/data/legacy/ecdsa_public | 1 - tests/data/legacy/ed25519_private_encrypted | 1 - tests/data/legacy/ed25519_private_unencrypted | 1 - tests/data/legacy/ed25519_public | 1 - tests/data/legacy/rsa_private_encrypted | 42 ------ tests/data/legacy/rsa_private_unencrypted | 39 ----- tests/data/legacy/rsa_public | 11 -- tests/test_migrate_key.py | 135 ------------------ 12 files changed, 6 insertions(+), 363 deletions(-) delete mode 100755 docs/migrate_key.py delete mode 100644 tests/data/legacy/ecdsa_private_encrypted delete mode 100644 tests/data/legacy/ecdsa_private_unencrypted delete mode 100755 tests/data/legacy/ecdsa_public delete mode 100644 tests/data/legacy/ed25519_private_encrypted delete mode 100644 tests/data/legacy/ed25519_private_unencrypted delete mode 100755 tests/data/legacy/ed25519_public delete mode 100644 tests/data/legacy/rsa_private_encrypted delete mode 100644 tests/data/legacy/rsa_private_unencrypted delete mode 100755 tests/data/legacy/rsa_public delete mode 100644 tests/test_migrate_key.py diff --git a/README.md b/README.md index 4abb22b5..5bd3d1fe 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,9 @@ See [Instructions for contributors](docs/CONTRIBUTING.md). ## Legacy key migration -Use [`migrate_keys`](docs/migrate_key.py) script to convert key pairs generated -with legacy `keys` or `interface` modules to a consistent standard format, which -is compatible with [`CryptoSigner`](docs/CRYPTO_SIGNER.md). +Use +[`migrate_keys`](https://github.com/secure-systems-lab/securesystemslib/blob/v0.31.0/docs/migrate_key.py) +script to convert key pairs generated with legacy `keys` or `interface` modules +to a consistent standard format, which is compatible with +[`CryptoSigner`](docs/CRYPTO_SIGNER.md). The script requires +`securesystemslib~=0.31.0`. diff --git a/docs/migrate_key.py b/docs/migrate_key.py deleted file mode 100755 index f574a254..00000000 --- a/docs/migrate_key.py +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/env python -"""CLI script to migrate legacy keys to standard format - -Convert legacy key files created via `securesystemslib.interface` or -`securesystemslib.keys` to a standard format, e.g. for use with `CryptoSigner` -of the Signer API (see CRYPTO_SIGNER.md). - -Standard format for all algorithms ----------------------------------- -* private: PEM/PKCS8 -* public: PEM/subjectPublicKeyInfo - -NOTE: Auto-generated keyids are likely to change after migration. Make sure to -set keyids of new signers explicitly, by passing a public key with the desired -keyid, or adopt changes in any delegations in TUF or in-toto. - -""" -import argparse - -from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey -from cryptography.hazmat.primitives.serialization import ( - BestAvailableEncryption, - Encoding, - NoEncryption, - PrivateFormat, - PublicFormat, - load_pem_public_key, -) - -from securesystemslib import interface as legacy -from securesystemslib.signer import CryptoSigner - - -def migrate_private(path_in, algo, password): - """Migrate private key""" - legacy_key = legacy.import_privatekey_from_file(path_in, algo, password) - crypto_signer = CryptoSigner.from_securesystemslib_key(legacy_key) - - if password: - encryption_algorithm = BestAvailableEncryption(password.encode()) - else: - encryption_algorithm = NoEncryption() - - private_key = crypto_signer._private_key # pylint: disable=protected-access - - return private_key.private_bytes( - encoding=Encoding.PEM, - format=PrivateFormat.PKCS8, - encryption_algorithm=encryption_algorithm, - ) - - -def migrate_public(path_in, algo): - """Migrate public key""" - legacy_keys = legacy.import_publickeys_from_file([path_in], [algo]) - legacy_key = list(legacy_keys.values())[0] - - if algo in ["rsa", "ecdsa"]: - public_key = load_pem_public_key( - legacy_key["keyval"]["public"].encode() - ) - else: # ed25519 - public_bytes = bytes.fromhex(legacy_key["keyval"]["public"]) - public_key = Ed25519PublicKey.from_public_bytes(public_bytes) - - return public_key.public_bytes( - encoding=Encoding.PEM, - format=PublicFormat.SubjectPublicKeyInfo, - ) - - -def main(): - parser = argparse.ArgumentParser( - description=( - "Migrate legacy keys to standard format " - "(PEM/PKCS8/subjectPublicKeyInfo)." - ) - ) - - parser.add_argument( - "--type", - choices=["private", "public"], - required=True, - help="key type", - ) - parser.add_argument( - "--password", - help="password to decrypt legacy and encrypt new private key", - ) - parser.add_argument( - "--algo", - choices=["rsa", "ecdsa", "ed25519"], - required=True, - help="key algorithm", - ) - parser.add_argument( - "--in", - dest="path_in", - metavar="PATH", - required=True, - help="file path to legacy key", - ) - parser.add_argument( - "--out", - dest="path_out", - metavar="PATH", - required=True, - help="file path to new key", - ) - - args = parser.parse_args() - - if args.type == "private": - new_key_bytes = migrate_private(args.path_in, args.algo, args.password) - - else: # public - if args.password: - parser.print_usage() - parser.error("use password with --type private only") - new_key_bytes = migrate_public(args.path_in, args.algo) - - with open(args.path_out, "wb+") as output_file: - output_file.write(new_key_bytes) - - -if __name__ == "__main__": - main() diff --git a/tests/data/legacy/ecdsa_private_encrypted b/tests/data/legacy/ecdsa_private_encrypted deleted file mode 100644 index dd291d36..00000000 --- a/tests/data/legacy/ecdsa_private_encrypted +++ /dev/null @@ -1 +0,0 @@ -8fbf611c59332aebc82bdcf026fe4119@@@@100000@@@@307a043b7e82a3bf4421f6971e3c5af13570d6824e52e096ab653b877fc52e9f@@@@835eccefffb6b5492c53027a5a92e445@@@@c6513cceb8cb00fd117787a4a8e0331b55b24f7467e7ed881910954deecd23611fd09238a425052ee0fe5647cedaf42ee31e04a9233d368616f8f0668ebd2cc63bf8aa466f438d2aa671ebab9dc4fdacdd5600672480161f43318dd76410145fea99eaa4eb4ef36a4d903007461ac1f123beb72fbb2793ea1d0f7bf9199894d8af43dc880968e882ff5cc342bdebfb827e4158e74aa93b70164324c510aef94389ee4bac90c39277da0ff6a56d41d28e2f019ac90d7008a58e792064ad8e8800925a10bdf161159cc8169bc6bde07bce5b57ffbdaae3f90c825b2f4af9f8a58617f4fcd020922d5b1f6d8b6fe273e59627698acc80ccac5574a5254b1d4e2faae67daeee9dc36c673724d1663ada890a9176d2754eb75c6245f429df773b19b80ef0e18c076f159572acff26a51b15f302473638e08230d137246ab6cada40b26717dda3bd295d9df675f5d025230f9d67d79e70f94cd766abae8afff13f11bb2137e28bb0ed2b4e3675b6a3df707fd89a780ebf6c3c93834eecf7d2ff80240abf7d04957feb613554afb1fd5517320b422ef228608b87740ac2801bd4f9907ac018a9aeb51f36317736c54cc593712219dcf00af3a009ac5a0c762c69cc4d579c425f642f0053668bec77d65bb3f046ed090ebdc502c09fe83e68cc94355be96ec22bd3019043dc6a9e0a3acbb245e710caebc5df7b9ed1c81ec983b6b828f84f8487ac1b068ee8c2cbd91c411041a7a48a4fe59d10e55a7ee0bb276ddde9a3bbfe21bedfd50c094dc161034e3100dfa0309cca8bbe8178a8d5504741e1953075cc25922bca7f19284c51e85669be52687c9c005892c3331057964733b4d5c5b85bfb7bc31bc4a75fcd1f9cd121b19dd48cf5dc \ No newline at end of file diff --git a/tests/data/legacy/ecdsa_private_unencrypted b/tests/data/legacy/ecdsa_private_unencrypted deleted file mode 100644 index 5e5cd86a..00000000 --- a/tests/data/legacy/ecdsa_private_unencrypted +++ /dev/null @@ -1 +0,0 @@ -{"keytype": "ecdsa", "scheme": "ecdsa-sha2-nistp256", "keyid": "57b7afab61dfd16b96619bb8af6c55483eeade3aa68cf20ff8f0aa69a8bcc8d8", "keyval": {"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx+6/aDen+X60RXLETPYz/H4U4qAY\neD/faCdpHBBmyip7xRiyWIrWljDmqcwLfv5wswrqdLF8M6hAdgYjIQZU/A==\n-----END PUBLIC KEY-----", "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIEm0tgzxA8OHiudMGqscqR4QpaJfxwwREqAD3rlSfXGJoAoGCCqGSM49\nAwEHoUQDQgAEx+6/aDen+X60RXLETPYz/H4U4qAYeD/faCdpHBBmyip7xRiyWIrW\nljDmqcwLfv5wswrqdLF8M6hAdgYjIQZU/A==\n-----END EC PRIVATE KEY-----"}, "keyid_hash_algorithms": ["sha256", "sha512"]} diff --git a/tests/data/legacy/ecdsa_public b/tests/data/legacy/ecdsa_public deleted file mode 100755 index cf04be22..00000000 --- a/tests/data/legacy/ecdsa_public +++ /dev/null @@ -1 +0,0 @@ -{"keytype": "ecdsa", "scheme": "ecdsa-sha2-nistp256", "keyid_hash_algorithms": ["sha256", "sha512"], "keyval": {"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx+6/aDen+X60RXLETPYz/H4U4qAY\neD/faCdpHBBmyip7xRiyWIrWljDmqcwLfv5wswrqdLF8M6hAdgYjIQZU/A==\n-----END PUBLIC KEY-----"}} diff --git a/tests/data/legacy/ed25519_private_encrypted b/tests/data/legacy/ed25519_private_encrypted deleted file mode 100644 index b1952ce9..00000000 --- a/tests/data/legacy/ed25519_private_encrypted +++ /dev/null @@ -1 +0,0 @@ -9ad267c7c10c74fb754b2d0811cadb6a@@@@100000@@@@06e3a7f38f26fc7c08d28e112fb6b53ab56b84c6214ac040bfcfdafb2fd7d221@@@@52d11d61e2e4ce57f39b3db799e72d24@@@@a5dc0ef8f4c7b1a87ab91c71eac39453004b36fea1284526bc109ae97f179bed1efd5d2a39f69c4a9f246b5ca6cc2e53366f830c11e5d2032c792dfd7f64bc87562b791ca1c1af1cedd245d438033d81688414c1ceaf0883f5cd604311978a60a5239b96fe2ff64ca1cc96becb8aefafe8600dda3b268249bc265cdbd086edbaaf53fd016109125e1dec784390cb8eb1501ccfcdbc4a4608ed8ffbbffd56ec7c97badea762b4a37f00dc7998da8c22c13b0125ffa91465262004a6ed1747a22074a3b32aac64e773f104538fa5032b7667a76f6963bd86d1ec7d3e83e2d59a070d3f558e27e6c8228080f0cc81d07dff2907ef617571ba1b18836743327579285844b1cc6e8ce809a092af8f6e1f7c8d27621348cc35698dec7e1dd82d9d5f07e89bc6d3e192fb1f7822d057265a30f36f18fe376c3c729335605e7d0e0fdbc3f30352f3a2ed94cba2f01f4df015957d \ No newline at end of file diff --git a/tests/data/legacy/ed25519_private_unencrypted b/tests/data/legacy/ed25519_private_unencrypted deleted file mode 100644 index 882e543c..00000000 --- a/tests/data/legacy/ed25519_private_unencrypted +++ /dev/null @@ -1 +0,0 @@ -{"keytype": "ed25519", "scheme": "ed25519", "keyid": "cb2eea1134dac06c1ca2e94b1ffbd15c0bf9f0f541458f0a1df6968a900392f9", "keyid_hash_algorithms": ["sha256", "sha512"], "keyval": {"public": "167ced64cc9908b0bebb92df124d8d7fbe4298d41407524e8d238d0bcdd76c79", "private": "71fe1138357bf15b08723fd01af86deb5b58e4f469eb0acc9892e3c4cf9f4504"}} diff --git a/tests/data/legacy/ed25519_public b/tests/data/legacy/ed25519_public deleted file mode 100755 index a469b32e..00000000 --- a/tests/data/legacy/ed25519_public +++ /dev/null @@ -1 +0,0 @@ -{"keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": ["sha256", "sha512"], "keyval": {"public": "167ced64cc9908b0bebb92df124d8d7fbe4298d41407524e8d238d0bcdd76c79"}} diff --git a/tests/data/legacy/rsa_private_encrypted b/tests/data/legacy/rsa_private_encrypted deleted file mode 100644 index c3aff72f..00000000 --- a/tests/data/legacy/rsa_private_encrypted +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,5196BEDDC2BA3ECB973C1B15CF8BA8F0 - -x0B78cwIeX7UjVqxUPaCdRhx+QhXduEVUL970GNYOQpLwnYAjBgDCXXVwyxIinnC -Ho0Qyd1bMAmlfAttlbPBN1Bf3lWUaLj3Rc51Sscj4pVWla9Q24LRN+87QCF6D9W+ -TpfAtwByGFVZarhLE+g3Nuknd6zS73N3fzfxlluQcVN+NvAYmECZTqhb12F83mhY -0nsNmQrhC5zw3XKb+Fe4CD2Ds3VAfMaZR+r+D6CjpYfznmhKX73cHEtvzamoSCA+ -qiTWwOhfOTPO78SZBVcEPPgNVIX/cUs2kDQAkgPSGNtyj5ELKcarXg6zyu5Y95q2 -K3ZdurduJYM5S7y9JHjx2HZfRvF5p3o4biWzYUlaETnVzkCTts8TppJU3BiCaYXQ -CF5dYCrhF5CosANdOiL8Nq7hvJX+4YMkIO1GwbRMKhM1DaFXWzimP3cUENWPblll -T5FUF5Jg62BpFSXlp1a6ypJEZzAIQJIGzBwJIx5kWkeDYkNL2+9z6kByarS0Dsr+ -n1xtq2Gbx4k+4GPanbh4FycjxAoXFZQQxYa4AACHl0A4j2MzGdIRQQapgtyQJ8Hj -7cZ4OKOooZ393NCZRQ8dc3kST0IvOptLzzk/COZCkt2gmcgL/6eblp4fqpWc3rt7 -9V9iMi7HZnA2lZjLBqT39A/QQX9J9F3CZTpLsc0D9inlUogC6s3JCIi00x+5TYlL -uJZjk26CX39nqKFFMeNRYessGDDltSFMrNbiGsOWhZmAILT7oYsCCtlCeSIvBSll -bA5pzw7xn+b1fOW1MSVqc6wQS035u/qu4hGG9/kFLyuHcjwKEXrcrV1iPvyRPLq0 -MuZG4Z74QkNNNwtZ97wZTynmuezayuIncqcCSsCP9bbCFEKJ9XMYFL7GUxD+rnzc -7twnWLnbjpL/qr4KP0y1Ydm8GUDYvYhQ0Ecd+nj7Xl8T3oV9S71WOVyWbSFpFSDV -VnB+kEV4edZ7gyhEo9lwdVV+8Ap+VI/Wg1jhV32jq3534wNX9DEMI7X8cKEW/JQO -kaMOz+21eYPiTMz3qm2NXyL4sC3LhJBz9YZpitJZ1K6cxvPRqokWZ31RXR8il4Ik -AsPUdIXLYZJ7jJ3JxdIX8NMDpw/hCUpqWfgkf5Vr4ZTp9bvKUiHTZurua1Av/ZMp -S/qhYo4x8RurtaXj0LbWx95eQLhzeoftIXyqH6uUOY6yAZjk162Egcs+ObJ57l3O -vvOsU6kbC0Fvf1JQjXLfZZ+RMRCn+f8umBAcO6QoF5ntz8Xmw8xJyLAh5ayJ18k2 -bcMX54YvkqO5wbmPH7cQx3vpeMpLWP9P3e+PCcTvsMAqzDTfmzhMmR6GeCOsE/eE -i/ZKDEac0VzZsSfvWGDkE/qXs//3HvdooRTWhaPihUxLmwUxTeMcnKO+Ct2axrM5 -5g4R1+iNwSGzx1Rq3LomGO22xlW0B0lk7Ah6CO/Nc/tCSm8MXlMgVB9wR/54v9Be -DLhKXRg03Pgm54lFdLLgxGL64i6eJ+JhVOdNqjZiAuu0ZULO6UVlaYpGIqMV5qe2 -9hhlwwm5jOZkH5h18J/Tz1dB4bzHEt9QG1a4/ESaHNWF7tPudWdqV6cAmvzLWyWc -fbPv6r0OHYdHta+qB5kbo0knYiBEenvV+5LPE1xOpuUVhJ9sxq8O+1Jj0z/pmsQB -nW0cLjPT/CQQBq9T3n2mdVMBwTupgkW7h+MvPe+cWaKvdv/pJ1KsxxolqXDsYOH2 -bw01qryYhaRmbSMvDudrR4ixHrAMAMrcfGkjsXsxXGWM1tNapcBbHMvZBrnYKEOe -PyhkGxvNAQLihcZAX5IXQqCn1nGqhJNcQ50X/Bc2RnM05CA67z3w8aBgalnzVKAq -b4HEJkGnmJn48zqcy5n1DZQ0Ov+xrO8vLm8ycDnb8f+miTlgPj9ehm0hUgKMJTH4 -JY21dBNpmbn6+n8q1s9Odli0vnSwTo5ZrCLSz8XXAoy1QYcVl/a26/aBuNH877AR -aajmD563wBUpq8YuqdHeT/K7QjrSBqmtUgI5Twqc59MfTMUBHnWvw/wPFO1pw8bm -cb38NI4oC4eJhpq6w0pr06e55go6WZLrxhOB0TaqOcFQUQxaeFhvH9a4d0AEfh1y -AS/mrR2ydLyhTr7yH4DZyce+ql565rKbrbznn5Uy9YdLSEJSnh2vYcs6EoUHZ6yY -OMeqou0B6g3JlrMWrpefRwo6repcnzBK5axfwwMLHwC0zljY8VP3sMpMn7gTtyKO -FbiMcLYhD9L19ud3xbd4azaJ5zkjxjkIqIEQmDsbzppLuKqjWpmvgCVRKnV2WVbG -pzvH365UnfkZd0lElil5EGxHtId1g1RiDRZMZvz5DeEPlt/BzmA+X/OJt0J83td/ ------END RSA PRIVATE KEY----- diff --git a/tests/data/legacy/rsa_private_unencrypted b/tests/data/legacy/rsa_private_unencrypted deleted file mode 100644 index ff7a1cc0..00000000 --- a/tests/data/legacy/rsa_private_unencrypted +++ /dev/null @@ -1,39 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIG5AIBAAKCAYEAwYSU3rVOgJV1uXPdkBK+Wkx09xMMEQE/xTQG0wX4tLOSeHSK -+/MwXeYw83DGYAsHEtEb57j/iNrVSESMEJfB9CT6YBLh6DfnZQnG5GS5f997t8c3 -zyGM1fYzoBWaVakMVO2DoM8vxst/c2MU1BJXaG7hW+Tu5Kuz856YGmX8fV6eGvet -WaQM9iN6jRmSS6Wmt/2WXcnvzjV5OyetpkH2s8kT60x1zElKiZtmGvz2lnxBZWK3 -uMBiBL8I52KZF+s9G65+shPJScYFKJ/NLVcMEaVDCghPay5bZ9pv6vqhylisLIs+ -alJoxWriz8a7Pc1tW0pBsWrk53adtBaxscFe3kjiJblQWE19xDwjEVCGA1MmslY0 -LFi2+R6SVcDDnNK7m0wcaqy1OG1bQXSpZLn/bNKE0NvT1SzrlRUojkcneiH6sJSW -ucXmoo5tL2+uzjEFM/xppW/leo72UmtgahlqjhvFboJB0slG7ppwcrkuWYg1SejT -HBt51jdvzsq6tVtdAgMBAAECggGAS/9u3YWThlDr8kBsB1wtEFZNawi6aOU2L5KO -iYojUYfiIlcWi/rGCGJR4BDufyJljUC89kRDanISZ7av0QZgP6rT/y37NRDbWWU9 -DE34QZ05P4PHyZsR7acqQBiryy8/7gx28IzdZPNfIqgLMnvfgt5kt4uRPBGocqja -cCeUQIILkmipVfZktrdZNheQShAMiN5Yko2vFSsP6Kjc+9mU8qcpoPMeofM4iBEU -yM2GY7P5lMDviOlYtSd27jPdDrUtU4ZvJU/o/hwmGhmV6/fKXRfTORy2SAJ8sbYK -ZJlMAQoNoMpEJ8kMCQ9NgDE4t8xJofG1qfAuoPD8RvIXtAQZEg+qO5r6D931lgZk -gi+L/kafki6dZ3TQNIeQsRHhXCJZoYJHEbEkjjAlV2Cdyt5uJbNTPxH3KR6FiGeQ -ku5LHvMhoz14twkyZI/5bAjMMNqXnoUSDREoABwPNhAqepJs/7TNZGwnqKSmwj5f -76rJ54jkdlng6gWk5QaShK4Es+wrAoHBAPH4FOjEkSVLTkc84yai37kiXsLVod8h -AAK6X1iPOtUHziu2kgynGKrGezBP9+y4KI2IERMmHYQ2dr+k7cZnjGpdLCl4FrsR -N9nIWWRhS/ZEzmna8ThRoRySdO/EpzxU2KU/ndKc0hEt1NewWBVvDGOAKY9z/+IU -msXyBgwCq5EXO6wO7aZiZWCy1RHbFN8fX/P5tFP1SCSwnAsz9gRiZ1pJmV7Ng56g -hGOIZES1hGYZcC9gpMEOh/Q/sp6aHiWlhwKBwQDMvUPEok4UWDew6jPKGig6oUFm -CbgO85BCVG1tRGaP4VCPPKfFIu1fkErNgSDQeUrPJc3FzYieXKlvSncELK2+TxB2 -Mp3pfFWhrvCTZ/JSsiG1TNcKyIUTY9qXQmn4Uvq4TSbFYGW9FhosnaDzvgVpUkR5 -UXIiVZ1p1drnS9Q9DFoGwQgx3GQuS1B12B3N1u5fBallXC/10aC2saYPOvkYa46q -HHmarjL+zC5Yh1nRbWhDzUhDM/xqF4hmNZnXcPsCgcEAz9jA5T1MTJPGVs0Hdf28 -XYQXkBcAJ/Fp1+4Nzr2h1LISuFvoUrQKLU+3K8XVemKqewChYiiAfDxofrCGisIR -zJ/iOnDsXZ4psoo1t1MYdB+giy9Fu5Hq6ecoSXlMCjf7rN7bi7mnfJg411mkIC02 -oBXMHWyQJbx7QoNmDFUS2NvzJxXfr+efm5OiEOd2oz6JJsKc0u3EHbgTIlBtCFEa -5GSKOPQiFlVdwz26m4ashyNcyWWjwC3iPL2mijRqpv3rAoHAPd8QRLL7v4AtTERq -ZC/lalpi5hAX1ETcmn7jFrst91sSukaNOLDmZRO410Ong/izl8gH2DfVim3cMiqh -rtxFoRZJlj6TpAST6ClywEkQXNdCAoT3E2YneQWbAEzss0N4SwvdpJYOCMdOH59/ -DUmmXv6ifLsVL7UJvfsHjRBIUi6SYiohbNf6WlceOI6X6yWBoauXVm82eyXfWHZ1 -BXM/5ZZTZar3QLxV4tQXSV+V0AktEhhONyjVpcX4zVJzbDzTAoHBAI8dFlW/FCwS -Y06NZgU7NwpdTDKagjYh/CTnX3rEoIOv23B+ODzpqE5Jfm7kyBeYZM93ssZO2AQQ -lTFzudVi9KsnLcxh0Cx9FQV1K7UTLKlnUsxEtDn3noM9k3Z0rcMouqTtFRbJ59GP -ozrM4V0wa9Vja/cv7MYgz0wwAckuLyBA3X23Djq+qJ0+LwgyLMpMaHIx1LtNDTzO -z8f448/i3dJh6fgqv1J1GpOH5VT2n6qr/DIucjAeypPRFwKTEQADIg== ------END RSA PRIVATE KEY----- diff --git a/tests/data/legacy/rsa_public b/tests/data/legacy/rsa_public deleted file mode 100755 index d042405c..00000000 --- a/tests/data/legacy/rsa_public +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwYSU3rVOgJV1uXPdkBK+ -Wkx09xMMEQE/xTQG0wX4tLOSeHSK+/MwXeYw83DGYAsHEtEb57j/iNrVSESMEJfB -9CT6YBLh6DfnZQnG5GS5f997t8c3zyGM1fYzoBWaVakMVO2DoM8vxst/c2MU1BJX -aG7hW+Tu5Kuz856YGmX8fV6eGvetWaQM9iN6jRmSS6Wmt/2WXcnvzjV5OyetpkH2 -s8kT60x1zElKiZtmGvz2lnxBZWK3uMBiBL8I52KZF+s9G65+shPJScYFKJ/NLVcM -EaVDCghPay5bZ9pv6vqhylisLIs+alJoxWriz8a7Pc1tW0pBsWrk53adtBaxscFe -3kjiJblQWE19xDwjEVCGA1MmslY0LFi2+R6SVcDDnNK7m0wcaqy1OG1bQXSpZLn/ -bNKE0NvT1SzrlRUojkcneiH6sJSWucXmoo5tL2+uzjEFM/xppW/leo72Umtgahlq -jhvFboJB0slG7ppwcrkuWYg1SejTHBt51jdvzsq6tVtdAgMBAAE= ------END PUBLIC KEY----- diff --git a/tests/test_migrate_key.py b/tests/test_migrate_key.py deleted file mode 100644 index dc3c86e3..00000000 --- a/tests/test_migrate_key.py +++ /dev/null @@ -1,135 +0,0 @@ -"""Test key migration script""" - -import shutil -import sys -import tempfile -import unittest -from pathlib import Path -from unittest.mock import patch - -from cryptography.hazmat.primitives.serialization import load_pem_public_key - -from docs.migrate_key import main as migrate_key_cli -from securesystemslib.exceptions import UnverifiedSignatureError -from securesystemslib.interface import ( - import_privatekey_from_file, - import_publickeys_from_file, -) -from securesystemslib.signer import CryptoSigner, SSlibKey, SSlibSigner - - -class TestMigrateKey(unittest.TestCase): - """Test key migration and backwards compatibility of signatures.""" - - @classmethod - def setUpClass(cls): - cls.old_keys = Path(__file__).parent / "data" / "legacy" - cls.new_keys = Path(tempfile.mkdtemp()) - - # Migrate private, private encrypted and public keys for each algo - for algo in ["rsa", "ecdsa", "ed25519"]: - for type_, name_suffix, has_password in [ - ("private", "_encrypted", True), - ("private", "_unencrypted", False), - ("public", "", False), - ]: - args = [ - "migrate_key.py", - "--type", - type_, - "--algo", - algo, - "--in", - str(cls.old_keys / f"{algo}_{type_}{name_suffix}"), - "--out", - str(cls.new_keys / f"{algo}_{type_}{name_suffix}"), - ] - - if has_password: - args += ["--password", "password"] - - with patch.object(sys, "argv", args): - migrate_key_cli() - - @classmethod - def tearDownClass(cls): - shutil.rmtree(cls.new_keys) - - def _from_file(self, algo): - with open(self.new_keys / f"{algo}_public", "rb") as f: - pem = f.read() - return load_pem_public_key(pem) - - def test_migrated_keys(self): - for algo in ["rsa", "ecdsa", "ed25519"]: - # Load public key - crypto_key = self._from_file(algo) - public_key = SSlibKey.from_crypto(crypto_key) - - # Load unencrypted private key - path = self.new_keys / f"{algo}_private_unencrypted" - uri = f"file:{path}?encrypted=false" - signer_unenc = CryptoSigner.from_priv_key_uri(uri, public_key) - - # Load encrypted private key - path = self.new_keys / f"{algo}_private_encrypted" - uri = f"file:{path}?encrypted=true" - signer_enc = CryptoSigner.from_priv_key_uri( - uri, public_key, lambda sec: "password" - ) - - # Sign and test signatures - for signer in [signer_unenc, signer_enc]: - sig = signer.sign(b"data") - self.assertIsNone(public_key.verify_signature(sig, b"data")) - with self.assertRaises(UnverifiedSignatureError): - public_key.verify_signature(sig, b"not data") - - def test_new_signature_verifies_with_old_key(self): - for algo in ["rsa", "ecdsa", "ed25519"]: - # Load old public key - key_dicts = import_publickeys_from_file( - [str(self.old_keys / f"{algo}_public")], [algo] - ) - key_dict = list(key_dicts.values())[0] - public_key = SSlibKey.from_securesystemslib_key(key_dict) - - # Load new private key - # NOTE: The signer is loaded with the old public key, thus the old - # keyid will be assigned to any new signatures. - path = self.new_keys / f"{algo}_private_unencrypted" - uri = f"file:{path}?encrypted=false" - signer = CryptoSigner.from_priv_key_uri(uri, public_key) - - # Sign and test signatures - sig = signer.sign(b"data") - self.assertIsNone(public_key.verify_signature(sig, b"data")) - with self.assertRaises(UnverifiedSignatureError): - public_key.verify_signature(sig, b"not data") - - def test_old_signature_verifies_with_new_key(self): - for algo in ["rsa", "ecdsa", "ed25519"]: - # Load old private key - private_key = import_privatekey_from_file( - str(self.old_keys / f"{algo}_private_unencrypted"), algo - ) - signer = SSlibSigner(private_key) - - # Load new public key - crypto_key = self._from_file(algo) - # NOTE: The new auto-keyid would differ from the old keyid. - # Set it explicitly, to verify signatures with old keyid below - public_key = SSlibKey.from_crypto( - crypto_key, keyid=private_key["keyid"] - ) - - # Sign and test signature - sig = signer.sign(b"data") - self.assertIsNone(public_key.verify_signature(sig, b"data")) - with self.assertRaises(UnverifiedSignatureError): - public_key.verify_signature(sig, b"not data") - - -# Run the unit tests. -if __name__ == "__main__": - unittest.main()