Metadata verification API tweaks

[jku]

I'd like the API to handle all signature/hash verifications that it can (so that there's a single place that's considered "reference implementation").

I'd also like these to be consistent and easy to use correctly (and hard to use incorrectly). I'm filing this as an umbrella issue since this is harder to do bit-by-bit...

Issues:

• signature verification with threshold does not exist Implement verification by a threshold of keys  #1306
• target hash verification is not implemented API : Add hash verification for timestamp/snapshot/targets #1361
• metadata hash verification is not implemented API : Add hash verification for timestamp/snapshot/targets #1361
• it's not obvious how to use verify() (it returns a bool but multiple people have used the API incorrectly already, assuming it raises an exception)
  This doesn't mean it needs to raise: the issue could be fixed by renaming to is_verified() or even is_signed()
• the amount of different exceptions from verify is obnoxious Exceptions in metadata API, especially verify() #1351

[jku]

I'll write down some ideas here.

• using the words "sign*" and "hash" is useful: verify alone is really vague
• sig verification and and the sig verification with threshold creates an annoying imbalance (in first case we ask metadata if it itself is signed, in second case we plan to ask metadata if some other metadata is signed with threshold of keys). Good naming helps but alternatively we could move sig verification to Key object
• I don't have strong feelings on returning bool vs raising exceptions

Potential API with bool return values (exceptions only for e.g. unsupported encryption algorithm):

# Ask 'Metadata' if it is signed by 'key'
Metadata.is_signed(
    key: Key, signed_serializer: Optional[SignedSerializer] = None
) -> bool

# Ask 'Metadata' if its delegated metadata 'delegate' is signed by 
# correct threshold of keys
Metadata.is_delegate_signed_with_threshold(
    role: str, delegate: Metadata
) -> bool

# Ask MetadataInfo/TargetInfo if given data matches the known hashes
MetadataInfo.hashes_match(data: Union[bytes, BinaryIO]) -> bool
TargetInfo.hashes_match(data: Union[bytes, BinaryIO]) -> bool

Alternatively with exceptions, no return values

# Ask 'metadata' to verify it is signed by 'key'
metadata.verify_signature(
    key: Key, signed_serializer: Optional[SignedSerializer] = None
)

# Ask 'metadata' to verify that its delegated metadata 'delegate' is signed
# by correct threshold of keys
# The name is really long -- maybe verify_delegate_signatures() would be enough
metadata.verify_delegate_threshold_of_signatures(
    role: str, delegate: Metadata
)

# Ask MetadataInfo/TargetInfo to verify that given data matches the known
# hashes
metadatainfo.verify_hashes(data: Union[bytes, BinaryIO])
targetinfo.verify_hashes(data: Union[bytes, BinaryIO])

[joshuagl]

The proposed API looks nice. Hard to reason about a Key object when that is not defined yet, but I think I prefer verification on the Metadata objects.

I'm in favour of raising exceptions if verification fails. It also seems to be what pyca/cryptography does, raising InvalidSignature if a signature is not valid.

[sechkova]

Already implied by @jku's example but in addition current Metadata.verify() should be changed to take a Key as an argument and not a dictionary/mapping.

Looking at the current function implementation, 'key' which is a securesystemslib-style public key object, contains its keyid, while the Key class does not have such member. The class was designed to match the file format as described in the spec, but maybe Key should not be separated from its keyid?

[jku]

The class was designed to match the file format as described in the spec, but maybe Key should not be separated by its keyid?

Great question, and I think you may be right: Key should contain keyid (but should just not serialize it).

[sechkova]

* sig verification and and the sig verification with threshold creates an annoying imbalance (in first case we ask metadata if it itself is signed, in second case we plan to ask metadata if _some other_ metadata is signed with threshold of keys). Good naming helps but alternatively we could move sig verification to Key object

Do we even need metadata to both verify itself and be able to verify other metadata? I think we should stick to one of the options.
If the common agreement is towards metadata.verify_delegate_threshold_of_signatures() then probably we can get by without metadata.verify as a public method and add a helper/wrapper of sslib.verify_signature() if needed.

Feels like this question links to #1306

[jku]

Do we even need metadata to both verify itself and be able to verify other metadata?

This is good question: maybe it's worth it to reconsider moving verify_signature() into Key class:

• Key verifies that it signs metadata (but this is typically not used by code outside the API)
• Delegating Metadata verifies that delegate metadata is signed by correct threshold of keys (this is used by API users)

[jku]

#1417 is about implementing verify_signature() in Key

[MVrachev]

Do we have any to-do items left here? When can we close that issue?
All of the issues linked in the pr description or in this discussion here seem to be resolved.

[jku]

Looks all done to me!