Remove HSMKey but keep from_hsm method (WIP)

HSMKey is only useful for its from_hsm method. This method is
temporarily moved to HSM test module, as verbatim copy
with some error handling commented out, and will likely be
moved to the HSMSigner in a subsequent commit.

**TODO core**

- Change signer init to only take public_key and secrets_handler

- change signer sign to
  - open session to first token
  - login using secrets handler
  - grab key with keyid 2

- add default scheme "hsm:"

- add from_priv_key_uri
  - move pubkey extraction to from_priv_key_uri

XXX: We'll have to change HSMSigner, if we want to do something
like hsm:YubiKey%20PIV%20%2315835999?piv_slot=9c

**TODO misc**

- fix tests/ci (see self-review)
  - include check_hsm_signer with aggregate_tests (maybe with some
    skipUnless), and include in ci.yml
- move to HSMSigner to _hsm_signer.py

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

Author: lukpueh

securesystemslib/signer/__init__.py

@@ -4,12 +4,7 @@
 This module provides extensible interfaces for public keys and signers:
 Some implementations are provided by default but more can be added by users.
 """
-from securesystemslib.signer._key import (
-    KEY_FOR_TYPE_AND_SCHEME,
-    HSMKey,
-    Key,
-    SSlibKey,
-)
+from securesystemslib.signer._key import KEY_FOR_TYPE_AND_SCHEME, Key, SSlibKey
 from securesystemslib.signer._signature import GPGSignature, Signature
 from securesystemslib.signer._signer import (
     SIGNER_FOR_URI_SCHEME,

securesystemslib/signer/_key.py

@@ -4,39 +4,9 @@
 from typing import Any, Dict, Optional, Tuple, Type
 
 import securesystemslib.keys as sslib_keys
-from securesystemslib import KEY_TYPE_ECDSA, exceptions
+from securesystemslib import exceptions
 from securesystemslib.signer._signature import Signature
 
-# pylint: disable=wrong-import-position
-CRYPTO_IMPORT_ERROR = None
-try:
-    from cryptography.hazmat.primitives import serialization
-    from cryptography.hazmat.primitives.asymmetric.ec import (
-        SECP256R1,
-        SECP384R1,
-        EllipticCurvePublicKey,
-        ObjectIdentifier,
-        get_curve_for_oid,
-    )
-
-except ImportError:  # pragma: no cover
-    CRYPTO_IMPORT_ERROR = "'cryptography' required"
-
-PYKCS11_IMPORT_ERROR = None
-try:
-    from PyKCS11 import PyKCS11
-
-except ImportError:  # pragma: no cover
-    PYKCS11_IMPORT_ERROR = "'PyKCS11' required"
-
-ASN1CRYPTO_IMPORT_ERROR = None
-try:
-    from asn1crypto.keys import ECDomainParameters, ECPoint
-
-except ImportError:  # pragma: no cover
-    ASN1CRYPTO_IMPORT_ERROR = "'asn1crypto' required"
-# pylint: enable=wrong-import-position
-
 logger = logging.getLogger(__name__)
 
 # NOTE dict for Key dispatch defined here, but filled at end of file when
@@ -213,94 +183,6 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
             ) from e
 
 
-class HSMKey(SSlibKey):
-    """Hardware Security Module (HSM) Key
-
-    HSMKey is a regular SSlibKey with an additional `from_hsm` method to
-    export public keys from hardware security modules.
-    """
-
-    @classmethod
-    def from_hsm(
-        cls,
-        hsm_session: "PyKCS11.Session",
-        hsm_keyid: Tuple[int, ...],
-        keyid: str,
-    ):
-        """Export public key from HSM
-
-        Supports ecdsa on SECG curves secp256r1 (NIST P-256) or secp384r1 (NIST P-384).
-
-        Arguments:
-            hsm_session: An open ``PyKCS11.Session`` to the token with the public key.
-            hsm_keyid: Key identifier on the token.
-            keyid: Key identifier that is unique within the metadata it is used in.
-
-        Raises:
-            ValueError: No compatible key for ``hsm_keyid`` found on HSM.
-            PyKCS11.PyKCS11Error: Various HSM communication errors.
-
-        """
-        if CRYPTO_IMPORT_ERROR:
-            raise exceptions.UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)
-
-        if PYKCS11_IMPORT_ERROR:
-            raise exceptions.UnsupportedLibraryError(PYKCS11_IMPORT_ERROR)
-
-        # Search for ecdsa public keys with passed keyid on HSM
-        keys = hsm_session.findObjects(
-            [
-                (PyKCS11.CKA_CLASS, PyKCS11.CKO_PUBLIC_KEY),
-                (PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
-                (PyKCS11.CKA_ID, hsm_keyid),
-            ]
-        )
-
-        if len(keys) != 1:
-            raise ValueError(
-                f"hsm_keyid must identify one {KEY_TYPE_ECDSA} key, found {len(keys)}"
-            )
-
-        # Extract public key domain parameters and point from HSM
-        hsm_params, hsm_point = hsm_session.getAttributeValue(
-            keys[0], [PyKCS11.CKA_EC_PARAMS, PyKCS11.CKA_EC_POINT]
-        )
-
-        params = ECDomainParameters.load(bytes(hsm_params))
-
-        # TODO: Define as module level constant and don't hardcode scheme strings
-        scheme_for_curve = {
-            SECP256R1: "ecdsa-sha2-nistp256",
-            SECP384R1: "ecdsa-sha2-nistp384",
-        }
-        curve_names = [curve.name for curve in scheme_for_curve]
-
-        if params.chosen.native not in curve_names:
-            raise ValueError(
-                f"found key on {params.chosen.native}, should be on one of {curve_names}"
-            )
-
-        # Create PEM from key
-        curve = get_curve_for_oid(ObjectIdentifier(params.chosen.dotted))
-        public_pem = (
-            EllipticCurvePublicKey.from_encoded_point(
-                curve(), ECPoint().load(bytes(hsm_point)).native
-            )
-            .public_bytes(
-                serialization.Encoding.PEM,
-                serialization.PublicFormat.SubjectPublicKeyInfo,
-            )
-            .decode()
-        )
-
-        return HSMKey(
-            keyid,
-            KEY_TYPE_ECDSA,
-            scheme_for_curve[curve],
-            {"public": public_pem},
-        )
-
-
 # Supported key types and schemes, and the Keys implementing them
 KEY_FOR_TYPE_AND_SCHEME = {
     ("ecdsa", "ecdsa-sha2-nistp256"): SSlibKey,

tests/check_hsm_signer.py

@@ -8,17 +8,26 @@
 
 from asn1crypto.keys import (  # pylint: disable=import-error
     ECDomainParameters,
+    ECPoint,
     NamedCurve,
 )
-from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.ec import (
+    SECP256R1,
+    SECP384R1,
+    EllipticCurvePublicKey,
+    ObjectIdentifier,
+    get_curve_for_oid,
+)
 from PyKCS11 import PyKCS11
 
 import securesystemslib.hash
-from securesystemslib.signer import HSMKey, HSMSigner
+from securesystemslib import KEY_TYPE_ECDSA
+from securesystemslib.signer import HSMSigner, SSlibKey
 
 
 class TestHSM(unittest.TestCase):
-    """Test HSMSigner and HSMKey with SoftHSM
+    """Test HSMSigner with SoftHSM
 
     Requirements:
     - install SoftHSM2
@@ -113,6 +122,85 @@ def tearDownClass(cls):
         shutil.rmtree(cls.test_dir)
         del os.environ["SOFTHSM2_CONF"]
 
+    @staticmethod
+    def _from_hsm(
+        hsm_session,
+        hsm_keyid,
+        keyid,
+    ):
+        """Export public key from HSM
+
+        Supports ecdsa on SECG curves secp256r1 (NIST P-256) or secp384r1 (NIST P-384).
+
+        Arguments:
+            hsm_session: An open ``PyKCS11.Session`` to the token with the public key.
+            hsm_keyid: Key identifier on the token.
+            keyid: Key identifier that is unique within the metadata it is used in.
+
+        Raises:
+            ValueError: No compatible key for ``hsm_keyid`` found on HSM.
+            PyKCS11.PyKCS11Error: Various HSM communication errors.
+
+        """
+        # if CRYPTO_IMPORT_ERROR:
+        #     raise exceptions.UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)
+
+        # if PYKCS11_IMPORT_ERROR:
+        #     raise exceptions.UnsupportedLibraryError(PYKCS11_IMPORT_ERROR)
+
+        # Search for ecdsa public keys with passed keyid on HSM
+        keys = hsm_session.findObjects(
+            [
+                (PyKCS11.CKA_CLASS, PyKCS11.CKO_PUBLIC_KEY),
+                (PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
+                (PyKCS11.CKA_ID, hsm_keyid),
+            ]
+        )
+
+        # if len(keys) != 1:
+        #     raise ValueError(
+        #         f"hsm_keyid must identify one {KEY_TYPE_ECDSA} key, found {len(keys)}"
+        #     )
+
+        # Extract public key domain parameters and point from HSM
+        hsm_params, hsm_point = hsm_session.getAttributeValue(
+            keys[0], [PyKCS11.CKA_EC_PARAMS, PyKCS11.CKA_EC_POINT]
+        )
+
+        params = ECDomainParameters.load(bytes(hsm_params))
+
+        # TODO: Define as module level constant and don't hardcode scheme strings
+        scheme_for_curve = {
+            SECP256R1: "ecdsa-sha2-nistp256",
+            SECP384R1: "ecdsa-sha2-nistp384",
+        }
+        # curve_names = [curve.name for curve in scheme_for_curve]
+
+        # if params.chosen.native not in curve_names:
+        #     raise ValueError(
+        #         f"found key on {params.chosen.native}, should be on one of {curve_names}"
+        #     )
+
+        # Create PEM from key
+        curve = get_curve_for_oid(ObjectIdentifier(params.chosen.dotted))
+        public_pem = (
+            EllipticCurvePublicKey.from_encoded_point(
+                curve(), ECPoint().load(bytes(hsm_point)).native
+            )
+            .public_bytes(
+                serialization.Encoding.PEM,
+                serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+            .decode()
+        )
+
+        return SSlibKey(
+            keyid,
+            KEY_TYPE_ECDSA,
+            scheme_for_curve[curve],
+            {"public": public_pem},
+        )
+
     def test_hsm(self):
         """Test public key export, HSM signing, and verification w/o HSM"""
 
@@ -131,7 +219,7 @@ def _pre_hash(data, scheme):
         data = b"deadbeef"
 
         for hsm_keyid in self.hsm_keyids:
-            public_key = HSMKey.from_hsm(session, hsm_keyid, keyid)
+            public_key = self._from_hsm(session, hsm_keyid, keyid)
 
             session.login(self.hsm_user_pin)  # Login for signing
             signer = HSMSigner(session, hsm_keyid, public_key)