Support for RSA-PKCS1v15-HASH_ID scheme

[danixeee]

Add support for RSA-PKCS1v15 signatures, as well as other supported openssl hash algorithms.

Description of the changes being introduced by the pull request:

Allow passing one of the following schemes, when generating keys and creating/verifying signatures:

• rsassa-pss-HASH_ID
• rsa-pkcs1v15-HASH_ID

Where HASH_ID is one of: md5, sha1, sha224, sha256, sha384 and sha512.

HASH_ID is picked from a scheme, so changes are backwards compatible.

Please verify and check that the pull request fulfills the following
requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[danixeee]

Hi @lukpueh, I didn't see that you are working on gpg transition on your fork. I was looking at branches that belongs to this repository, but now I can see that our work does not overlap, which is great. :)

I guess we should continue the conversation from #163 here.

Note that I didn't adapt SIGNATURE_SCHEMA in #174 as you did here, because it felt like a bigger change. I'd rather do this in a separate PR, maybe as part of a broader formats/schema revision. Do you think you can work around this by adding something like below to your taf.formats and patching append_signature accordingly?

Do you think I should merge your work (#174) to mine (#173) and update things that you have proposed in this PR?

[lukpueh]

Thanks for the solid PR, @danixeee! I have a few minor comments inline and two style wishes below. Please consider addressing them and we should be able to merge this rather soon.

minor style wishes:

• Would you mind removing the trailing whitespace you added in hash.py (see e.g. git diff --check)?
• Would you please revert the alignments of continued lines in pyca_crypto_keys.py that are unrelated to this PR (was that your IDE?)?
  In general, I think our code style is in favor of hanging indent, although not strictly according to pep8, i.e. arguments on the first line are okay. IMO vertical alignment is okay, but it shouldn't exceed the max line length of 80 characters.

[lukpueh]

Just for completeness the sake of completeness, could you add two more lines for sha384?

[lukpueh]

Are the sha384 variants left out on purpose?

[lukpueh]

On an unrelated side-note: I really think securesystemslib should have a constants module that's also used to define schemas in the formats module, so that we don't re-define the same string constants in the different places. We can leave it like it is here, but I'll follow up with an issue about it.

[danixeee]

I left it accidentally, thanks.

[lukpueh]

This is pretty neat but it has a few downsides:

1. Just by looking at it we don't know what hash algos we get here,
2. We actually get a lot more algos than we "support" (or test for):

   >>> list(PYCA_DIGEST_OBJECTS_CACHE.keys())
   ['sha224', 'md5', 'sha1', 'sha3-224', 'blake2s', 'sha384', 'shake256', 'sha3-256', 'blake2b', 'sha512-224', 'sha256', 
   'sha3-512', 'sha512-256', 'sha3-384', 'shake128', 'sha512']
   

3. abc.ABC._abc_registry is not officially documented and e.g. won't be available in Python 3.7.

So for the sake of readability and explicitness I suggest a less neat solution, e.g.:

import cryptography.hazmat.primitives.hashes as _pyca_hashes
PYCA_DIGEST_OBJECTS_CACHE = {
  "md5":  pyca_hashes.MD5,
  "sha1": _pyca_hashes.SHA1,
  "sha224": _pyca_hashes.SHA224,
  "sha256": _pyca_hashes.SHA256,
  "sha384": _pyca_hashes.SHA384,
  "sha512": _pyca_hashes.SHA512
}

I could also see a compromise of neat and explicit like...

import cryptography.hazmat.primitives.hashes
SUPPORTED_HASH_ALGOS = ["md5", "sha1"] # ...

PYCA_DIGEST_OBJECTS_CACHE = {
  algo: vars(cryptography.hazmat.primitives.hashes)[algo.upper()] for algo
  in SUPPORTED_HASH_ALGOS}

What do you think?

[danixeee]

Agreed, I think that explicit way is the most readable. I had similar code already (https://github.com/openlawlibrary/securesystemslib/blob/e5051e610a6e6d3c58c9b72d3d79e1ed955ea188/securesystemslib/pyca_crypto_keys.py#L159), not sure why I changed it. :)

[lukpueh]

I don't think you need the global keyword here.

[lukpueh]

Please double indent continued lines.

[lukpueh]

Minor nit: We usually use UpperCamelCase for classes

[lukpueh]

Please add newline

[lukpueh]

Since you already nicely re-wrote most of this function, would you mind changing above to:

if not len(private_key):
  raise ValueError('The required private key is unset.')

... and move the "try/except/except/except" block on indentation level inwards. I think this makes quite a difference in terms of readability. :)

[lukpueh]

Do you think I should merge your work (#174) to mine (#173) and update things that you have proposed in this PR?

No need to do that. Let's treat them separately while reviewing, and rebase the pending one, once the other one gets merged. I suspect your's will be merged sooner than mine, so I'll do the rebase on my side. :)

[danixeee]

@lukpueh I think that I have addressed all your comments for now, thank you for the fast review!

Would you please revert the alignments of continued lines in pyca_crypto_keys.py that are unrelated to this PR (was that your IDE?)?

It was, I am using VS Code but I disabled all formatters, not sure why it changed those alignments. It should be fine now.

Do you think I should merge your work (#174) to mine (#173) and update things that you have proposed in this PR?

I asked this because I will need gpg formats from your PR in order to change schemas. Should I copy them manually then?

[coveralls]

Coverage remained the same at 100.0% when pulling 3116ee2 on openlawlibrary:danixeee/rsa-pkcs1v15-scheme into 6ef6c61 on secure-systems-lab:master.

[lukpueh]

LGTM. Thanks! :)

[lukpueh]

I asked this because I will need gpg formats from your PR in order to change schemas. Should I copy them manually then?

I'll merge this PR now and will rebase my lukpueh:add-gpg from #174 onto master. I suggest you work on top of lukpueh:add-gpg then. It shouldn't change a lot, because the logic has already been reviewed in in-toto. However, it still needs someone to take a look at it before we merge it here (cc @SantiagoTorres, @mnm678).