Use hash algo per ecdsa curve and add nistp384

This commit adds support for verifying ecdsa signature on the nistp384 curve with sha384 digests to the internal ecdsa_keys module. It does so by adding module global helper dictionary to map schemes to hash algorithms. Note: This commit tries to blend in with the current sslib design. In future work we should: - define securesystemslib-wide constants instead of hardcoding strings over and over again (see item 3 in #183)
secure-systems-lab · Apr 6, 2020 · 3e8a3d9 · 3e8a3d9
1 parent 761aded
commit 3e8a3d9
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/securesystemslib/ecdsa_keys.py b/securesystemslib/ecdsa_keys.py
@@ -57,6 +57,12 @@
   from cryptography.hazmat.primitives.serialization import load_pem_private_key
 
   import cryptography.exceptions
+
+  _SCHEME_HASHER = {
+    'ecdsa-sha2-nistp256': ec.ECDSA(hashes.SHA256()),
+    'ecdsa-sha2-nistp384': ec.ECDSA(hashes.SHA384())
+  }
+
 except ImportError:
   CRYPTO = False
 
@@ -331,7 +337,7 @@ def verify_signature(public_key, scheme, signature, data):
   # verify() raises an 'InvalidSignature' exception if 'signature'
   # is invalid.
   try:
-    ecdsa_key.verify(signature, data, ec.ECDSA(hashes.SHA256()))
+    ecdsa_key.verify(signature, data, _SCHEME_HASHER[scheme])
     return True
 
   except (TypeError, cryptography.exceptions.InvalidSignature):