Metadata API: Clean up verify_signature() exceptions

Aim to only raise UnsignedMetadataError from verify_signature(). Some
of the situations could be things like UnsupportedAlgorithmError --
where the underlying reason may be a missing dependency -- but it seems
impossible for a client to know whether it's that or whether it is
broken or malicious server side.

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: Jussi Kukkonen

tests/test_api.py

@@ -205,6 +205,20 @@ def test_sign_verify(self):
         with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
             targets_key.verify_signature(metadata_obj)
 
+        # Test failure on broken public key data (securesystemslib CryptoError)
+        public = timestamp_key.keyval["public"]
+        timestamp_key.keyval["public"] = "ffff"
+        with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
+            timestamp_key.verify_signature(metadata_obj)
+        timestamp_key.keyval["public"] = public
+
+        # Test failure on wrong signature (securesystemslib FormatError)
+        sig = next(sig for sig in metadata_obj.signatures if sig.keyid == timestamp_keyid)
+        correct_sig = sig.signature
+        sig.signature = "foo"
+        with self.assertRaises(tuf.exceptions.UnsignedMetadataError):
+            timestamp_key.verify_signature(metadata_obj)
+        sig.signature = correct_sig
 
     def test_metadata_base(self):
         # Use of Snapshot is arbitrary, we're just testing the base class features

tuf/api/metadata.py

@@ -19,6 +19,7 @@
 from datetime import datetime, timedelta
 from typing import Any, Dict, List, Mapping, Optional
 
+from securesystemslib import exceptions as sslib_exceptions
 from securesystemslib import keys as sslib_keys
 from securesystemslib.signer import Signature, Signer
 from securesystemslib.storage import FilesystemBackend, StorageBackendInterface
@@ -435,8 +436,6 @@ def verify_signature(
         Raises:
             UnsignedMetadataError: The signature could not be verified for a
                 variety of possible reasons: see error message.
-            TODO: Various other errors currently bleed through from lower
-                level components: Issue #1351
         """
         try:
             sigs = metadata.signatures
@@ -453,16 +452,23 @@ def verify_signature(
 
             signed_serializer = CanonicalJSONSerializer()
 
-        if not sslib_keys.verify_signature(
-            self.to_securesystemslib_key(),
-            signature.to_dict(),
-            signed_serializer.serialize(metadata.signed),
-        ):
+        try:
+            if not sslib_keys.verify_signature(
+                self.to_securesystemslib_key(),
+                signature.to_dict(),
+                signed_serializer.serialize(metadata.signed),
+            ):
+                raise exceptions.UnsignedMetadataError(
+                    f"Failed to verify {self.id} signature", metadata.signed,
+                )
+        except (
+            sslib_exceptions.CryptoError,
+            sslib_exceptions.FormatError,
+            sslib_exceptions.UnsupportedAlgorithmError,
+        ) as e:
             raise exceptions.UnsignedMetadataError(
-                f"Failed to verify {self.id} signature for metadata",
-                metadata.signed,
-            )
-
+                f"Failed to verify {self.id} signature", metadata.signed,
+            ) from e
 
 class Role:
     """A container class containing the set of keyids and threshold associated