Metadata API: Clean up verify_signature() exceptions

Aim to only raise UnsignedMetadataError from verify_signature(). Some of the situations could be things like UnsupportedAlgorithmError -- where the underlying reason may be a missing dependency -- but it seems impossible for a client to know whether it's that or whether it is broken or malicious server side. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
theupdateframework · Jun 11, 2021 · 275e4ca · 275e4ca
1 parent 6a20108
commit 275e4ca
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 9 deletions.
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -205,6 +205,26 @@ def test_sign_verify(self):
         with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
             targets_key.verify_signature(metadata_obj)
 
+        # Test failure on broken public key data (securesystemslib CryptoError)
+        public = timestamp_key.keyval["public"]
+        timestamp_key.keyval["public"] = "ffff"
+        with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
+            timestamp_key.verify_signature(metadata_obj)
+        timestamp_key.keyval["public"] = public
+
+        # Test failure with invalid signature (securesystemslib FormatError)
+        sig = metadata_obj.signatures[timestamp_keyid]
+        correct_sig = sig.signature
+        print (correct_sig)
+        sig.signature = "foo"
+        with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
+            timestamp_key.verify_signature(metadata_obj)
+
+        # Test failure with valid but incorrect signature
+        sig.signature = "52af76354db3403242e1437b1fbf1c7edc4e66b81dfd63b3026ff681d57e88e11a697cca78061a376a9dd8d7fde5777b14d4e6d8e75f976101cbc61321642f06"
+        with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
+            timestamp_key.verify_signature(metadata_obj)
+        sig.signature = correct_sig
 
     def test_metadata_base(self):
         # Use of Snapshot is arbitrary, we're just testing the base class features

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -21,6 +21,7 @@
 from datetime import datetime, timedelta
 from typing import Any, ClassVar, Dict, List, Mapping, Optional, Tuple, Type
 
+from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import keys as sslib_keys
 from securesystemslib.signer import Signature, Signer
 from securesystemslib.storage import FilesystemBackend, StorageBackendInterface
@@ -454,8 +455,6 @@ def verify_signature(
         Raises:
             UnsignedMetadataError: The signature could not be verified for a
                 variety of possible reasons: see error message.
-            TODO: Various other errors currently bleed through from lower
-                level components: Issue #1351
         """
         try:
             signature = metadata.signatures[self.keyid]
@@ -471,15 +470,25 @@ def verify_signature(
 
             signed_serializer = CanonicalJSONSerializer()
 
-        if not sslib_keys.verify_signature(
-            self.to_securesystemslib_key(),
-            signature.to_dict(),
-            signed_serializer.serialize(metadata.signed),
-        ):
+        try:
+            if not sslib_keys.verify_signature(
+                self.to_securesystemslib_key(),
+                signature.to_dict(),
+                signed_serializer.serialize(metadata.signed),
+            ):
+                raise exceptions.UnsignedMetadataError(
+                    f"Failed to verify {self.keyid} signature",
+                    metadata.signed,
+                )
+        except (
+            sslib_exceptions.CryptoError,
+            sslib_exceptions.FormatError,
+            sslib_exceptions.UnsupportedAlgorithmError,
+        ) as e:
             raise exceptions.UnsignedMetadataError(
-                f"Failed to verify {self.keyid} signature for metadata",
+                f"Failed to verify {self.keyid} signature",
                 metadata.signed,
-            )
+            ) from e
 
 
 class Role: