openstack/nova
Code Issues Proposed changes

signature_utils: move to explicit image metadata

Browse Source 
In Nova, we are moving away from using an unnamed dictionary
to represent Glance image metadata. This change alters the
signature_utils module to take in the specific image properties
as individual parameters instead of as a dictionary.

Change-Id: Ia79c847de6ef55ddb1305f24fca47dfb822ad7c8
This commit is contained in:
Dane Fichter 2016-01-04 09:38:21 -05:00
parent 18014a7608
commit d8532315e0
2 changed files with 67 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
nova/signature_utils.py
View File

@ -73,12 +73,6 @@ MASK_GEN_ALGORITHMS = {
'MGF1': padding.MGF1,
}
# Required image property names
SIGNATURE = 'img_signature'
HASH_METHOD = 'img_signature_hash_method'
KEY_TYPE = 'img_signature_key_type'
CERT_UUID = 'img_signature_certificate_uuid'
class SignatureKeyType(object):
@ -116,17 +110,15 @@ class SignatureKeyType(object):
# each key type will require its own verifier
def create_verifier_for_pss(signature, hash_method, public_key,
image_properties):
def create_verifier_for_pss(signature, hash_method, public_key):
"""Create the verifier to use when the key type is RSA-PSS.
:param signature: the decoded signature to use
:param hash_method: the hash method to use, as a cryptography object
:param public_key: the public key to use, as a cryptography object
:param image_properties: the key-value properties about the image
:returns: the verifier to use to verify the signature for RSA-PSS
:raises: SignatureVerificationError if the RSA-PSS specific properties
are invalid
:returns: the verifier to use to verify the signature for RSA-PSS
"""
# default to MGF1
mgf = padding.MGF1(hash_method)
@ -142,14 +134,12 @@ def create_verifier_for_pss(signature, hash_method, public_key,
)
def create_verifier_for_ecc(signature, hash_method, public_key,
image_properties):
def create_verifier_for_ecc(signature, hash_method, public_key):
"""Create the verifier to use when the key type is ECC_*.
:param signature: the decoded signature to use
:param hash_method: the hash method to use, as a cryptography object
:param public_key: the public key to use, as a cryptography object
:param image_properties: the key-value properties about the image
:returns: the verifier to use to verify the signature for ECC_*.
"""
# return the verifier
@ -159,14 +149,12 @@ def create_verifier_for_ecc(signature, hash_method, public_key,
)
def create_verifier_for_dsa(signature, hash_method, public_key,
image_properties):
def create_verifier_for_dsa(signature, hash_method, public_key):
"""Create the verifier to use when the key type is DSA
:param signature: the decoded signature to use
:param hash_method: the hash method to use, as a cryptography object
:param public_key: the public key to use, as a cryptography object
:param image_properties: the key-value properties about the image
:returns: the verifier to use to verify the signature for DSA
"""
# return the verifier
@ -187,48 +175,45 @@ for curve in ECC_CURVES:
create_verifier_for_ecc)
def should_verify_signature(image_properties):
"""Determine whether a signature should be verified.
Using the image properties, determine whether existing properties indicate
that signature verification should be done.
:param image_properties: the key-value properties about the image
:returns: True, if signature metadata properties exist, False otherwise
"""
return (image_properties is not None and
CERT_UUID in image_properties and
HASH_METHOD in image_properties and
SIGNATURE in image_properties and
KEY_TYPE in image_properties)
def get_verifier(context, image_properties):
"""Retrieve the image properties and use them to create a verifier.
def get_verifier(context, img_signature_certificate_uuid,
img_signature_hash_method, img_signature,
img_signature_key_type):
"""Instantiate signature properties and use them to create a verifier.
:param context: the user context for authentication
:param image_properties: the key-value properties about the image
:param img_signature_certificate_uuid:
uuid of signing certificate stored in key manager
:param img_signature_hash_method:
string denoting hash method used to compute signature
:param img_signature: string of base64 encoding of signature
:param img_signature_key_type:
string denoting type of keypair used to compute signature
:returns: instance of
cryptography.hazmat.primitives.asymmetric.AsymmetricVerificationContext
:raises: SignatureVerificationError if we fail to build the verifier
"""
if not should_verify_signature(image_properties):
image_meta_props = {'img_signature_uuid': img_signature_certificate_uuid,
'img_signature_hash_method': img_signature_hash_method,
'img_signature': img_signature,
'img_signature_key_type': img_signature_key_type}
for key in image_meta_props.keys():
if image_meta_props[key] is None:
raise exception.SignatureVerificationError(
reason=_('Required image properties for signature verification'
' do not exist. Cannot verify signature.'))
' do not exist. Cannot verify signature. Missing'
' property: %s') % key)
signature = get_signature(image_properties[SIGNATURE])
hash_method = get_hash_method(image_properties[HASH_METHOD])
signature_key_type = SignatureKeyType.lookup(image_properties[KEY_TYPE])
signature = get_signature(img_signature)
hash_method = get_hash_method(img_signature_hash_method)
signature_key_type = SignatureKeyType.lookup(img_signature_key_type)
public_key = get_public_key(context,
image_properties[CERT_UUID],
img_signature_certificate_uuid,
signature_key_type)
# create the verifier based on the signature key type
verifier = signature_key_type.create_verifier(signature,
hash_method,
public_key,
image_properties)
public_key)
if verifier:
return verifier
else:

113
nova/tests/unit/test_signature_utils.py
View File

@ -41,12 +41,6 @@ TEST_ECC_PRIVATE_KEY = ec.generate_private_key(ec.SECP521R1(),
TEST_DSA_PRIVATE_KEY = dsa.generate_private_key(key_size=3072,
backend=default_backend())
# Required image property names
SIGNATURE = signature_utils.SIGNATURE
HASH_METHOD = signature_utils.HASH_METHOD
KEY_TYPE = signature_utils.KEY_TYPE
CERT_UUID = signature_utils.CERT_UUID
class FakeKeyManager(object):
@ -111,31 +105,6 @@ class BadPublicKey(object):
class TestSignatureUtils(test.NoDBTestCase):
"""Test methods of signature_utils"""
def test_should_verify_signature(self):
image_props = {CERT_UUID: 'CERT_UUID',
HASH_METHOD: 'HASH_METHOD',
SIGNATURE: 'SIGNATURE',
KEY_TYPE: 'SIG_KEY_TYPE'}
self.assertTrue(signature_utils.should_verify_signature(image_props))
def test_should_verify_signature_fail(self):
bad_image_properties = [{CERT_UUID: 'CERT_UUID',
HASH_METHOD: 'HASH_METHOD',
SIGNATURE: 'SIGNATURE'},
{CERT_UUID: 'CERT_UUID',
HASH_METHOD: 'HASH_METHOD',
KEY_TYPE: 'SIG_KEY_TYPE'},
{CERT_UUID: 'CERT_UUID',
SIGNATURE: 'SIGNATURE',
KEY_TYPE: 'SIG_KEY_TYPE'},
{HASH_METHOD: 'HASH_METHOD',
SIGNATURE: 'SIGNATURE',
KEY_TYPE: 'SIG_KEY_TYPE'}]
for bad_props in bad_image_properties:
result = signature_utils.should_verify_signature(bad_props)
self.assertFalse(result)
@mock.patch('nova.signature_utils.get_public_key')
def test_verify_signature_PSS(self, mock_get_pub_key):
data = b'224626ae19824466f2a7f39ab7b80f7f'
@ -150,12 +119,10 @@ class TestSignatureUtils(test.NoDBTestCase):
)
signer.update(data)
signature = base64.b64encode(signer.finalize())
image_props = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: hash_name,
KEY_TYPE: 'RSA-PSS',
SIGNATURE: signature}
verifier = signature_utils.get_verifier(None, image_props)
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
verifier = signature_utils.get_verifier(None, img_sig_cert_uuid,
hash_name, signature,
signature_utils.RSA_PSS)
verifier.update(data)
verifier.verify()
@ -182,12 +149,11 @@ class TestSignatureUtils(test.NoDBTestCase):
)
signer.update(data)
signature = base64.b64encode(signer.finalize())
image_props = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: hash_name,
KEY_TYPE: key_type_name,
SIGNATURE: signature}
verifier = signature_utils.get_verifier(None, image_props)
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
verifier = signature_utils.get_verifier(None,
img_sig_cert_uuid,
hash_name, signature,
key_type_name)
verifier.update(data)
verifier.verify()
@ -201,12 +167,10 @@ class TestSignatureUtils(test.NoDBTestCase):
)
signer.update(data)
signature = base64.b64encode(signer.finalize())
image_props = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: hash_name,
KEY_TYPE: 'DSA',
SIGNATURE: signature}
verifier = signature_utils.get_verifier(None, image_props)
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
verifier = signature_utils.get_verifier(None, img_sig_cert_uuid,
hash_name, signature,
signature_utils.DSA)
verifier.update(data)
verifier.verify()
@ -214,52 +178,43 @@ class TestSignatureUtils(test.NoDBTestCase):
def test_verify_signature_bad_signature(self, mock_get_pub_key):
data = b'224626ae19824466f2a7f39ab7b80f7f'
mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key()
image_properties = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: 'SHA-256',
KEY_TYPE: 'RSA-PSS',
SIGNATURE: 'BLAH'}
verifier = signature_utils.get_verifier(None, image_properties)
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
verifier = signature_utils.get_verifier(None, img_sig_cert_uuid,
'SHA-256', 'BLAH',
signature_utils.RSA_PSS)
verifier.update(data)
self.assertRaises(crypto_exceptions.InvalidSignature,
verifier.verify)
@mock.patch('nova.signature_utils.should_verify_signature')
def test_get_verifier_invalid_image_props(self, mock_should):
mock_should.return_value = False
def test_get_verifier_invalid_image_props(self):
self.assertRaisesRegex(exception.SignatureVerificationError,
'Required image properties for signature'
' verification do not exist. Cannot verify'
' signature.',
' signature. Missing property: .*',
signature_utils.get_verifier,
None, None)
None, None, 'SHA-256', 'BLAH',
signature_utils.RSA_PSS)
@mock.patch('nova.signature_utils.get_public_key')
def test_verify_signature_bad_sig_key_type(self, mock_get_pub_key):
mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key()
image_properties = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: 'SHA-256',
KEY_TYPE: 'BLAH',
SIGNATURE: 'BLAH'}
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
self.assertRaisesRegex(exception.SignatureVerificationError,
'Invalid signature key type: .*',
signature_utils.get_verifier,
None, image_properties)
None, img_sig_cert_uuid, 'SHA-256',
'BLAH', 'BLAH')
@mock.patch('nova.signature_utils.get_public_key')
def test_get_verifier_none(self, mock_get_pub_key):
mock_get_pub_key.return_value = BadPublicKey()
image_properties = {CERT_UUID:
'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
HASH_METHOD: 'SHA-256',
KEY_TYPE: 'RSA-PSS',
SIGNATURE: 'BLAH'}
img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693'
self.assertRaisesRegex(exception.SignatureVerificationError,
'Error occurred while creating'
' the verifier',
signature_utils.get_verifier,
None, image_properties)
None, img_sig_cert_uuid, 'SHA-256',
'BLAH', signature_utils.RSA_PSS)
def test_get_signature(self):
signature = b'A' * 256
@ -285,7 +240,7 @@ class TestSignatureUtils(test.NoDBTestCase):
signature_utils.get_hash_method, 'SHA-2')
def test_signature_key_type_lookup(self):
for sig_format in ['RSA-PSS', 'DSA']:
for sig_format in [signature_utils.RSA_PSS, signature_utils.DSA]:
sig_key_type = signature_utils.SignatureKeyType.lookup(sig_format)
self.assertIsInstance(sig_key_type,
signature_utils.SignatureKeyType)
@ -301,7 +256,9 @@ class TestSignatureUtils(test.NoDBTestCase):
def test_get_public_key_rsa(self, mock_get_cert):
fake_cert = FakeCryptoCertificate()
mock_get_cert.return_value = fake_cert
sig_key_type = signature_utils.SignatureKeyType.lookup('RSA-PSS')
sig_key_type = signature_utils.SignatureKeyType.lookup(
signature_utils.RSA_PSS
)
result_pub_key = signature_utils.get_public_key(None, None,
sig_key_type)
self.assertEqual(fake_cert.public_key(), result_pub_key)
@ -319,7 +276,9 @@ class TestSignatureUtils(test.NoDBTestCase):
def test_get_public_key_dsa(self, mock_get_cert):
fake_cert = FakeCryptoCertificate(TEST_DSA_PRIVATE_KEY.public_key())
mock_get_cert.return_value = fake_cert
sig_key_type = signature_utils.SignatureKeyType.lookup('DSA')
sig_key_type = signature_utils.SignatureKeyType.lookup(
signature_utils.DSA
)
result_pub_key = signature_utils.get_public_key(None, None,
sig_key_type)
self.assertEqual(fake_cert.public_key(), result_pub_key)
@ -328,7 +287,9 @@ class TestSignatureUtils(test.NoDBTestCase):
def test_get_public_key_invalid_key(self, mock_get_certificate):
bad_pub_key = 'A' * 256
mock_get_certificate.return_value = FakeCryptoCertificate(bad_pub_key)
sig_key_type = signature_utils.SignatureKeyType.lookup('RSA-PSS')
sig_key_type = signature_utils.SignatureKeyType.lookup(
signature_utils.RSA_PSS
)
self.assertRaisesRegex(exception.SignatureVerificationError,
'Invalid public key type for '
'signature key type: .*',