-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standardize on-disk key formats #68
Conversation
This change matches python-securesystemslib by retiring the custom serialization format. With this change, RSA, ED25519, and ECDSA keys can be loaded from standard PEM encoding, meaning custom tooling isn't needed to generate the keys. This commit adds deprecation warnings to prior Load methods that expected the custom format. Signed-off-by: Aditya Sirish <aditya@saky.in>
Support PEM encoding for all key types
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good. I only have two high-level comments:
-
There is still a minor inconsistency in the test key file formats. That is,
rsa-test-key
is in PKCS1 format, whereas the others private keys are PKCS8. Since your deserialization code supports both, it's not an issue, I just wanted to point it out.For comparison,
python-securesystemslib
's private key deserialization API also supports both (by usingpyca/cryptography
's genericload_pem_private_key
method). But it does note that only pkcs8 is tested for all keytypes. -
This might be out of scope for this PR, but I'll still mention it, because the PR adds serialization code for private key data stored in
SSlibKey.KeyVal.Private
:The newer python-securesystemslib implementation separates private key objects (
Signer
) and public key objects (Key
). This also means that it no longer stores private key data in a serialized format together with the public key, but uses whatever format makes sense for the signing provider (e.g. an rsa private key is stored aspyca/cryptography
RSAPrivateKey
object).
* Add RSA private key encoded as PKCS8 * Refactor tests to use a table, DRY Signed-off-by: Aditya Sirish <aditya@saky.in>
I added a PKCS8 encoded key file for the same key, and it's tested too.
The plan for go-securesystemslib is to provide something similar to python-securesystemslib. With this PR, the flow is to go from |
Submitting #67 for merge into main.