Merge pull request #228 from lukpueh/add-nistp384-support

Add nistp384 signature verification support
secure-systems-lab · Apr 9, 2020 · 967c16b · 967c16b
2 parents 4190a18 + efe9afe
commit 967c16b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 14 deletions.
diff --git a/securesystemslib/ecdsa_keys.py b/securesystemslib/ecdsa_keys.py
@@ -57,6 +57,12 @@
   from cryptography.hazmat.primitives.serialization import load_pem_private_key
 
   import cryptography.exceptions
+
+  _SCHEME_HASHER = {
+    'ecdsa-sha2-nistp256': ec.ECDSA(hashes.SHA256()),
+    'ecdsa-sha2-nistp384': ec.ECDSA(hashes.SHA384())
+  }
+
 except ImportError:
   CRYPTO = False
 
@@ -331,7 +337,7 @@ def verify_signature(public_key, scheme, signature, data):
   # verify() raises an 'InvalidSignature' exception if 'signature'
   # is invalid.
   try:
-    ecdsa_key.verify(signature, data, ec.ECDSA(hashes.SHA256()))
+    ecdsa_key.verify(signature, data, _SCHEME_HASHER[scheme])
     return True
 
   except (TypeError, cryptography.exceptions.InvalidSignature):

diff --git a/securesystemslib/formats.py b/securesystemslib/formats.py
@@ -164,9 +164,8 @@
 # http://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm#table1
 RSAKEYBITS_SCHEMA = SCHEMA.Integer(lo=2048)
 
-# The supported ECDSA signature schemes (ecdsa-sha2-nistp256 is supported by
-# default).
-ECDSA_SCHEME_SCHEMA = SCHEMA.OneOf([SCHEMA.String('ecdsa-sha2-nistp256')])
+# The supported ECDSA signature schemes
+ECDSA_SCHEME_SCHEMA = SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)')
 
 # A pyca-cryptography signature.
 PYCACRYPTOSIGNATURE_SCHEMA = SCHEMA.AnyBytes()
@@ -201,7 +200,7 @@
 # Supported securesystemslib key types.
 KEYTYPE_SCHEMA = SCHEMA.OneOf(
   [SCHEMA.String('rsa'), SCHEMA.String('ed25519'),
-   SCHEMA.String('ecdsa-sha2-nistp256')])
+   SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)')])
 
 # A generic securesystemslib key.  All securesystemslib keys should be saved to
 # metadata files in this format.
@@ -254,7 +253,7 @@
 # An ECDSA securesystemslib key.
 ECDSAKEY_SCHEMA = SCHEMA.Object(
   object_name = 'ECDSAKEY_SCHEMA',
-  keytype = SCHEMA.String('ecdsa-sha2-nistp256'),
+  keytype = SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)'),
   scheme = ECDSA_SCHEME_SCHEMA,
   keyid = KEYID_SCHEMA,
   keyid_hash_algorithms = SCHEMA.Optional(HASHALGORITHMS_SCHEMA),
@@ -272,12 +271,6 @@
 # An ECDSA signature.
 ECDSASIGNATURE_SCHEMA = SCHEMA.AnyBytes()
 
-# Required installation libraries expected by the repository tools and other
-# cryptography modules.
-REQUIRED_LIBRARIES_SCHEMA = SCHEMA.ListOf(SCHEMA.OneOf(
-  [SCHEMA.String('general'), SCHEMA.String('ed25519'), SCHEMA.String('rsa'),
-   SCHEMA.String('ecdsa-sha2-nistp256')]))
-
 # Ed25519 signature schemes.  The vanilla Ed25519 signature scheme is currently
 # supported.
 ED25519_SIG_SCHEMA = SCHEMA.OneOf([SCHEMA.String('ed25519')])

diff --git a/securesystemslib/keys.py b/securesystemslib/keys.py
@@ -847,8 +847,8 @@ def verify_signature(key_dict, signature, data):
       raise securesystemslib.exceptions.UnsupportedAlgorithmError('Unsupported'
           ' signature scheme is specified: ' + repr(scheme))
 
-  elif keytype == 'ecdsa-sha2-nistp256':
-    if scheme == 'ecdsa-sha2-nistp256':
+  elif keytype in ['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384']:
+    if scheme in ['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384']:
       valid_signature = securesystemslib.ecdsa_keys.verify_signature(public,
         scheme, sig, data)