Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signer API: review exceptions specifically for Key.verify_signature #595

Open
lukpueh opened this issue Jun 2, 2023 · 2 comments
Open

signer API: review exceptions specifically for Key.verify_signature #595

lukpueh opened this issue Jun 2, 2023 · 2 comments
Labels
discussion Issues that require discussion

Comments

@lukpueh
Copy link
Member

lukpueh commented Jun 2, 2023
edited
Loading

API docs say that Key.verify_signature raises either UnverifiedSignatureError (Failed to verify signature), or VerificationError (Signature verification process error.)

As a consequence, we have the following pattern in current Key implementations:

try:
  - prepare key and signature (e.g. pop value from dict, deserialize)
  - verify signature

except implementation-specific "unverified signature"-error:
  - re-raise as UnverifiedSignatureError

except everything else:
  - re-raise as VerificationError

During review of #585, we discussed, if catching generic Exception was acceptable here, and if the method should pass through or raise other exception types like ValueError (e.g. if a keyids in key and signature don't match) or UnsupportedLibraryError.

The underlying question is, how should a client be able to handle (e.g. fail, ignore, recover) all types of verification errors? This includes failures due to key or signature formats, which are not supported by the library (at all, or because an optional dependency is missing).

EDIT: Let's also make sure that this is properly tested.
@lukpueh
Copy link
Member Author

lukpueh commented Jun 2, 2023
edited
Loading

Some thoughts about requirements:

  • Applications should be able to use a threshold verification algorithm, which only cares for valid signatures.
  • This means, applications should be able to successfully parse metadata (using Key.from_dict), and attempt verification (using key.verify_signature), even with keys with unknown or unsupported keytypes or schemes.
  • Known keytypes and schemes with invalid formats should fail parsing or verification.

@lukpueh lukpueh mentioned this issue Jun 2, 2023
Closed
@lukpueh
Copy link
Member Author

lukpueh commented Jun 2, 2023

  • Applications should be able to use a threshold verification algorithm, which only cares for valid signatures.
  • This means, applications should be able to successfully parse metadata (using Key.from_dict), and attempt verification (using key.verify_signature), even with keys with unknown or unsupported keytypes or schemes.

Currently, Key.from_dict raises an error on unknown keytypes and schemes. If the application just catches the error and skips the unknown key, it will break any signature verification of the container metadata, if it depends on canonicalisation. Which is the default for tuf and in-toto.

@lukpueh lukpueh added discussion Issues that require discussion contribfest Issues for KubeCon EU contribfest and removed contribfest Issues for KubeCon EU contribfest labels Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Issues that require discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lukpueh