Key should expose pre hash algorithm

secure-systems-lab / securesystemslib

Cryptographic and general-purpose routines for Secure Systems Lab projects at NYU

MIT License

48 stars 49 forks source link

Closed jku closed 1 year ago

jku commented 1 year ago

This is after #456

There could be a optional Key.get_pre_hash_algorithm():

would return the pre-signing content hash algorithm that should be used
this would be useful for for signers that need to prehash (KMS and HSM I believe)
this does not apply to all keys (e.g. "ed25519" is likely the non-prehashing variant)

jku commented 1 year ago

I suppose this could be an actual digest() API as well... so you could do something like

hasher = key.hasher() # this is like securesystemslib.hash.digest() except no argument needed 
hasher.update(data)
digest = hasher.digest()

but maybe securesystemslib shouldn't be trying to do all these things?

lukpueh commented 1 year ago

FYI: The HSMSigner API does not need pre-hashing. I only pre-hash in tests as workaround for SoftHSM's limited capabilities:

jku commented 1 year ago

oh interesting. If this is only needed by KMS, then we can hold off implementing anything public/generic

jku commented 1 year ago

I'll close this based on above comments