Add Key.from_securesystemslib_key

The securesystemslib key dictionary representation includes the private key in keyval. TUF key doesn't handle it in any way, but considering that we allow unrecognized symbols in the format, we should exclude the private key otherwise this could lead to misuse. A call to securesystemslib.keys.format_keyval_to_metadata with the default private=False would do exactly that. Signed-off-by: Velichka Atanasova <avelichka@vmware.com>
theupdateframework · Aug 26, 2021 · c875b7e · c875b7e
1 parent 8482f2c
commit c875b7e
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -54,6 +54,10 @@
     Signature
 )
 
+from securesystemslib.keys import (
+    generate_ed25519_key
+)
+
 logger = logging.getLogger(__name__)
 
 
@@ -421,6 +425,14 @@ def test_metadata_verify_delegate(self):
         root.verify_delegate('snapshot', snapshot)
 
 
+    def test_key_class(self):
+        # Test if from_securesystemslib_key removes the private key from keyval
+        # of a securesystemslib key dictionary.
+        sslib_key = generate_ed25519_key()
+        key = Key.from_securesystemslib_key(sslib_key)
+        self.assertFalse('private' in key.keyval.keys())
+
+
     def test_metadata_root(self):
         root_path = os.path.join(
                 self.repo_dir, 'metadata', 'root.json')

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -562,6 +562,24 @@ def to_securesystemslib_key(self) -> Dict[str, Any]:
             "keyval": self.keyval,
         }
 
+    @classmethod
+    def from_securesystemslib_key(cls, key_dict: Dict[str, Any]) -> "Key":
+        """
+        Creates a Key object from a securesystemlib key dict representation
+        removing the private key from keyval.
+        """
+        key_meta = sslib_keys.format_keyval_to_metadata(
+            key_dict["keytype"],
+            key_dict["scheme"],
+            key_dict["keyval"],
+        )
+        return cls(
+            key_dict["keyid"],
+            key_meta["keytype"],
+            key_meta["scheme"],
+            key_meta["keyval"],
+        )
+
     def verify_signature(
         self,
         metadata: Metadata,