Made internal keyids consistent #453
Conversation
|
I think this looks ok. Can you confirm if this fixes a practical issue or if it's just a cosmetic fix: even if cryptography sometimes includes whitespace in the pem, why do we care? Does something break? I think roughly everyone agrees that keyids are not ideal: IMO they should not be tied to key content at all and should be just identifiers. If I recall correctly TAP-12 is the attempt at making that the rule in TUF. |
It breaks the tests for importing SSH keys. When one imports a public key to hazmat and exports them to PEM, and one imports a private key to hazmat, converts it to public one and exports to PEM, the PEM reprs differ by a line break character in the end. Currently |
|
I see. The PR seems fine to me but my suggestion is that you should not expect the keyid to be reproducible like that: I don't think the implementation is very robust so things like modifying values in securesystemslib.settings will break that reproducibility... |
I know, for example base64 reprs of keys usually ignore line breaks, so changing the line wrap width will also break the keyids. Ideally the field should be immediately renamed into an So this PR just relieves some of the sympthoms. |
KOLANICH
force-pushed
the
internal_keyid_consistency
branch
2 times, most recently
from
4e3f646 to
acb823b
Compare
|
Thanks for the patch, @KOLANICH! I think the patch makes sense, but I wonder if it is all that helpful, given the more substantial issues with keyids discussed above. If this is currently only needed for #451, then I suggest to defer until we know how to proceed with #451. See #451 (comment) |
It is, but I'm not sure that working around the lack of this patch via monkey-patching makes sense. Of course the keyids will be fixed somewhen and all the impls (including |
KOLANICH
force-pushed
the
internal_keyid_consistency
branch
from
acb823b to
3ea7d4b
Compare
|
Worked around for 1 key type with monkey-patching. https://github.com/KOLANICH/securesystemslib_KOLANICH.py |
KOLANICH
force-pushed
the
internal_keyid_consistency
branch
from
3ea7d4b to
378aa7f
Compare
…e key imported from different sources because of internal usage of PEM serialization an usage of hashsum of such a serialization as an internal keyid. This won't fix all the inconsistency issues, the way keys are hashed to obtain key ids should be completely reworked.
KOLANICH
force-pushed
the
internal_keyid_consistency
branch
from
378aa7f to
7c159c9
Compare
There was a problem hiding this comment.
I don't think I agree with the commit message: No-one seems to be interested enough to actually implement the keyid generation (for all keytypes) in the way current TUF spec defines it -- in other words the spec should be changed to not have the strict requirements and just require that keyids are unique per delegating role. I think in future securesystemslib should make it clear that users should not expect the generated keyids to be any kind of "stable API": it's just a way to get hopefully unique identifiers.
That said, the actual patch seems fine: it only modifies the output from key generation, so should not break code? Let's either merge or not, and then close this PR.
Description of the changes being introduced by the pull request:
It was noticed that internal keyids for ECDSA keys get inconsistent when imported from PEM because
hazmateither adds nonsignificant whitespaces or not.securesystemlibcurrently forms internal keyids by hashing PEM representations (which is IMHO incorrect), so the keyids are affected by nonsignificant changes. This PR just strips the PEM representations of trailing whitespaces. The proper solution to the problem is to generate the keyids from significant portions of keys only and to make them compatible to other impls, but it is not my job.Please verify and check that the pull request fulfils the following requirements: