ASN.1: RSA key compat: key vals OctetString -> VisibleString

awwad · awwad · commit da726fed7645 · 2018-11-08T16:36:20.000-05:00
Switch to using VisibleString to encode key values, since RSA keys
are ASCII-prefixed Base64, while ed25519 key values are hex strings.
This is inefficient, but this reference implementation profits from
being simple. May reconsider later and add specialized code. :/

Signed-off-by: Sebastien Awwad &lt;sebastien.awwad@gmail.com&gt;
diff --git a/tuf/encoding/asn1_convert.py b/tuf/encoding/asn1_convert.py
@@ -183,6 +183,11 @@ def public_key_to_pyasn1(public_key_dict):
     raise tuf.exceptions.FormatError('Expected public key, received key dict '
         'containing a private key entry!')
 
+  # TODO: Intelligently handle PEM-style RSA keys, which have value set to an
+  # ASCII-prefixed Base64 string like:
+  #    '-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQE...'
+  # while also handling ed25519 keys, which have hexstring values. For now,
+  # we're using VisibleString inefficiently, for easy compatibility with both.
   key_pyasn1 = asn1_definitions.PublicKey()
   key_pyasn1['keytype'] = public_key_dict['keytype']
   key_pyasn1['scheme'] = public_key_dict['scheme']
@@ -202,8 +207,10 @@ def public_key_to_pyasn1(public_key_dict):
   i = 0
   for valtype in public_key_dict['keyval']:
     keyval_pyasn1 = asn1_definitions.KeyValue()
-    keyval_pyasn1['public'] = pyasn1_univ.OctetString(
-        hexValue=public_key_dict['keyval'][valtype])
+    # OctetString handling for ed25519 keys, if definitions use OCTET STRING
+    # keyval_pyasn1['public'] = pyasn1_univ.OctetString(
+    #     hexValue=public_key_dict['keyval'][valtype])
+    keyval_pyasn1['public'] = public_key_dict['keyval'][valtype]
     keyvals_pyasn1[i] = keyval_pyasn1
     i += 1
 
diff --git a/tuf/encoding/asn1_metadata_definitions.py b/tuf/encoding/asn1_metadata_definitions.py
@@ -89,7 +89,7 @@ class KeyIDHashAlgorithms(univ.SequenceOf):
 # non-ASN.1 metadata definitions.
 class KeyValue(univ.Sequence):
   componentType = NamedTypes(
-      NamedType('public', univ.OctetString()))
+      NamedType('public', char.VisibleString())) #univ.OctetString()))
 
 class PublicKey(univ.Sequence):
   componentType = NamedTypes(
diff --git a/tuf/encoding/metadata_definitions.asn1 b/tuf/encoding/metadata_definitions.asn1
@@ -147,9 +147,13 @@ TUFMetadataDefinitions DEFINITIONS AUTOMATIC TAGS ::= BEGIN
   PublicKey ::= SEQUENCE {
     keytype             VisibleString,
     scheme              VisibleString,
-    keyval              SEQUENCE {
-      type              VisibleString,            -- expect 'public'
-      value             OCTET STRING
+    keyval              SEQUENCE OF SEQUENCE {  -- even though we only expect 1
+      type              VisibleString,          -- expect 'public'
+      -- value here would ideally be an OCTET STRING, but for now, for
+      -- compatibility with both ed25519 (hexstring that translates naturally to
+      -- an OCTET STRING) and RSA (ASCII-prefixed Base64 that requires some
+      -- translation), we'll just use an inefficient unicode string....
+      value             VisibleString
     },
     keyid-hash-algorithms SEQUENCE OF VisibleString
   }
