Standardize on-disk key formats #68
Conversation
This change matches python-securesystemslib by retiring the custom serialization format. With this change, RSA, ED25519, and ECDSA keys can be loaded from standard PEM encoding, meaning custom tooling isn't needed to generate the keys. This commit adds deprecation warnings to prior Load methods that expected the custom format. Signed-off-by: Aditya Sirish <aditya@saky.in>
Support PEM encoding for all key types
There was a problem hiding this comment.
Code looks good. I only have two high-level comments:
-
There is still a minor inconsistency in the test key file formats. That is,
rsa-test-keyis in PKCS1 format, whereas the others private keys are PKCS8. Since your deserialization code supports both, it's not an issue, I just wanted to point it out.For comparison,
python-securesystemslib's private key deserialization API also supports both (by usingpyca/cryptography's genericload_pem_private_keymethod). But it does note that only pkcs8 is tested for all keytypes. -
This might be out of scope for this PR, but I'll still mention it, because the PR adds serialization code for private key data stored in
SSlibKey.KeyVal.Private:The newer python-securesystemslib implementation separates private key objects (
Signer) and public key objects (Key). This also means that it no longer stores private key data in a serialized format together with the public key, but uses whatever format makes sense for the signing provider (e.g. an rsa private key is stored aspyca/cryptographyRSAPrivateKeyobject).
* Add RSA private key encoded as PKCS8 * Refactor tests to use a table, DRY Signed-off-by: Aditya Sirish <aditya@saky.in>
I added a PKCS8 encoded key file for the same key, and it's tested too.
The plan for go-securesystemslib is to provide something similar to python-securesystemslib. With this PR, the flow is to go from |
Submitting #67 for merge into main.