Metadata API: Don't peek into Key internals

Jussi Kukkonen · Jussi Kukkonen · commit 48b58d9be984 · 2021-07-05T15:13:00.000+03:00
There was an attempt at ensuring key content uniqueness in
verify_delegate() by making sure the values corresponding to "public"
keys in Key.keyval dictionaries are unique. This had two issues:
 * it wasn't a security measure: it's not difficult to produce two
   different "public" values of the same key content
 * Spec does not actually guarantee the existence of "public" key in
   the keyval dictionary (the three keys included in the spec just all
   happen to have it)

Luckily the spec does require KEYIDs to be unique so we do not need to
do all this: Just count keyids of keys with verified signatures. Keep
building a Set of keyids as a belt-and-suspenders strategy: Role keyids
are currently guaranteed to be unique but we'd notice here if they
weren't.

Add a logger call for failed verifys: this might useful to figure out
which keys exactly are the issue when a delegate can not be verified.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@vmware.com&gt;
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -17,6 +17,7 @@
 """
 import abc
 import io
+import logging
 import tempfile
 from collections import OrderedDict
 from datetime import datetime, timedelta
@@ -49,6 +50,8 @@
 
 # pylint: disable=too-many-lines
 
+logger = logging.getLogger(__name__)
+
 # We aim to support SPECIFICATION_VERSION and require the input metadata
 # files to have the same major version (the first number) as ours.
 SPECIFICATION_VERSION = ["1", "0", "19"]
@@ -309,10 +312,9 @@ def verify_delegate(
             key = keys[keyid]
             try:
                 key.verify_signature(delegate, signed_serializer)
-                # keyids are unique. Try to make sure the public keys are too
-                signing_keys.add(key.keyval["public"])
+                signing_keys.add(key.keyid)
             except exceptions.UnsignedMetadataError:
-                pass
+                logger.info("Key %s failed to verify %s", keyid, role_name)
 
         if len(signing_keys) < role.threshold:
             raise exceptions.UnsignedMetadataError(
