diff --git a/securesystemslib/signer/__init__.py b/securesystemslib/signer/__init__.py index 8edfb547..7991ba98 100644 --- a/securesystemslib/signer/__init__.py +++ b/securesystemslib/signer/__init__.py @@ -24,7 +24,6 @@ SpxSigner, generate_spx_key_pair, ) -from securesystemslib.signer._sslib_signer import SSlibSigner # Register supported private key uri schemes and the Signers implementing them SIGNER_FOR_URI_SCHEME.update( diff --git a/securesystemslib/signer/_signer.py b/securesystemslib/signer/_signer.py index dc836957..a31433e9 100644 --- a/securesystemslib/signer/_signer.py +++ b/securesystemslib/signer/_signer.py @@ -30,7 +30,7 @@ class Signer(metaclass=ABCMeta): Usage example:: - signer = Signer.from_priv_key_uri("envvar:MYPRIVKEY", pub_key) + signer = Signer.from_priv_key_uri(uri, pub_key) sig = signer.sign(b"data") Note that signer implementations may raise errors (during both @@ -39,11 +39,7 @@ class Signer(metaclass=ABCMeta): Applications should use generic try-except here if unexpected raises are not an option. - See ``SIGNER_FOR_URI_SCHEME`` for supported private key URI schemes. The - currently supported default schemes are: - - * envvar: see ``SSlibSigner`` for details - * file: see ``SSlibSigner`` for details + See ``SIGNER_FOR_URI_SCHEME`` for supported private key URI schemes. Interactive applications may also define a secrets handler that allows asking for user secrets if they are needed:: @@ -53,14 +49,8 @@ class Signer(metaclass=ABCMeta): def sec_handler(secret_name:str) -> str: return getpass(f"Enter {secret_name}: ") - # user will not be asked for a passphrase for unencrypted key - uri = "file:keys/mykey?encrypted=false" signer = Signer.from_priv_key_uri(uri, pub_key, sec_handler) - # user will be asked for a passphrase for encrypted key - uri2 = "file:keys/myenckey?encrypted=true" - signer2 = Signer.from_priv_key_uri(uri2, pub_key2, sec_handler) - Applications can provide their own Signer and Key implementations:: from securesystemslib.signer import Signer, SIGNER_FOR_URI_SCHEME diff --git a/securesystemslib/signer/_sslib_signer.py b/securesystemslib/signer/_sslib_signer.py deleted file mode 100644 index beb9f95a..00000000 --- a/securesystemslib/signer/_sslib_signer.py +++ /dev/null @@ -1,118 +0,0 @@ -"""Legacy signer default implementations""" - -import logging -import os -from typing import Dict, Optional -from urllib import parse - -from securesystemslib import keys as sslib_keys -from securesystemslib.signer._crypto_signer import CryptoSigner -from securesystemslib.signer._key import Key, SSlibKey -from securesystemslib.signer._signature import Signature -from securesystemslib.signer._signer import SecretsHandler, Signer - -logger = logging.getLogger(__name__) - - -class SSlibSigner(Signer): - """A securesystemslib signer implementation. - - Provides a sign method to generate a cryptographic signature with a - securesystemslib-style rsa, ed25519 or ecdsa key. See keys module - for the supported types, schemes and hash algorithms. - - SSlibSigners should be instantiated with Signer.from_priv_key_uri(). - These private key URI schemes are supported: - * "envvar:": - VAR is an environment variable with unencrypted private key content. - envvar:MYPRIVKEY - * "file:?encrypted=[true|false]": - PATH is a file path to a file with private key content. If - encrypted=true, the file is expected to have been created with - securesystemslib.keys.encrypt_key(). - file:path/to/file?encrypted=true - file:/abs/path/to/file?encrypted=false - - Attributes: - key_dict: - A securesystemslib-style key dictionary. This is an implementation - detail, not part of public API - - .. deprecated:: 0.28.0 - Please use ``CryptoSigner`` instead. - """ - - ENVVAR_URI_SCHEME = "envvar" - FILE_URI_SCHEME = "file" - - def __init__(self, key_dict: Dict): - self.key_dict = key_dict - self._crypto_signer = CryptoSigner.from_securesystemslib_key(key_dict) - self._public_key = SSlibKey.from_securesystemslib_key(key_dict) - - @classmethod - def from_priv_key_uri( - cls, - priv_key_uri: str, - public_key: Key, - secrets_handler: Optional[SecretsHandler] = None, - ) -> "SSlibSigner": - """Constructor for Signer to call - - Please refer to Signer.from_priv_key_uri() documentation. - - Additionally raises: - OSError: Reading the file failed with "file:" URI - """ - if not isinstance(public_key, SSlibKey): - raise ValueError(f"Expected SSlibKey for {priv_key_uri}") - - uri = parse.urlparse(priv_key_uri) - - if uri.scheme == cls.ENVVAR_URI_SCHEME: - # read private key from environment variable - private = os.getenv(uri.path) - if private is None: - raise ValueError(f"Unset env var for {priv_key_uri}") - - elif uri.scheme == cls.FILE_URI_SCHEME: - params = dict(parse.parse_qsl(uri.query)) - if "encrypted" not in params: - raise ValueError(f"{uri.scheme} requires 'encrypted' parameter") - - # read private key (may be encrypted or not) from file - with open(uri.path, "rb") as f: - private = f.read().decode() - - if params["encrypted"] != "false": - if not secrets_handler: - raise ValueError("encrypted key requires a secrets handler") - - secret = secrets_handler("passphrase") - decrypted = sslib_keys.decrypt_key(private, secret) - private = decrypted["keyval"]["private"] - - else: - raise ValueError(f"SSlibSigner does not support {priv_key_uri}") - - keydict = public_key.to_securesystemslib_key() - keydict["keyval"]["private"] = private - - return cls(keydict) - - @property - def public_key(self) -> Key: - return self._public_key - - def sign(self, payload: bytes) -> Signature: - """Signs a given payload by the key assigned to the SSlibSigner instance. - - Please see Signer.sign() documentation. - - Additionally raises: - securesystemslib.exceptions.FormatError: Key argument is malformed. - securesystemslib.exceptions.CryptoError, \ - securesystemslib.exceptions.UnsupportedAlgorithmError: - Signing errors. - """ - return self._crypto_signer.sign(payload)