Require SSlibKey in relevant signers

lukpueh · lukpueh · commit 3c6a34da1cc5 · 2025-03-26T14:41:31.000+01:00
Strictly require SSlibKey at runtime in from_priv_key_uri, to
allow narrowing the key type in the signer constructor.

Narrow key type to allow using key type-specific methods.

Signed-off-by: Lukas Puehringer &lt;lukas.puehringer@nyu.edu&gt;
diff --git a/securesystemslib/signer/_aws_signer.py b/securesystemslib/signer/_aws_signer.py
@@ -74,7 +74,7 @@ class AWSSigner(Signer):
         "rsa-pkcs1v15-sha512": "RSASSA_PKCS1_V1_5_SHA_512",
     }
 
-    def __init__(self, aws_key_id: str, public_key: Key):
+    def __init__(self, aws_key_id: str, public_key: SSlibKey):
         if AWS_IMPORT_ERROR:
             raise UnsupportedLibraryError(AWS_IMPORT_ERROR)
 
@@ -84,7 +84,7 @@ def __init__(self, aws_key_id: str, public_key: Key):
         self.aws_algo = self.aws_algos[self.public_key.scheme]
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @classmethod
@@ -94,6 +94,9 @@ def from_priv_key_uri(
         public_key: Key,
         secrets_handler: SecretsHandler | None = None,
     ) -> AWSSigner:
+        if not isinstance(public_key, SSlibKey):
+            raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
         uri = parse.urlparse(priv_key_uri)
 
         if uri.scheme != cls.SCHEME:
@@ -121,7 +124,7 @@ def _get_keytype_for_scheme(scheme: str) -> str:
     @classmethod
     def import_(
         cls, aws_key_id: str, local_scheme: str | None = None
-    ) -> tuple[str, Key]:
+    ) -> tuple[str, SSlibKey]:
         """Loads a key and signer details from AWS KMS.
 
         Returns the private key uri and the public key. This method should only
@@ -133,7 +136,7 @@ def import_(
             Defaults to 'rsassa-pss-sha256' if not provided and RSA.
 
         Returns:
-            Tuple[str, Key]: A tuple where the first element is a string
+            Tuple[str, SSlibKey]: A tuple where the first element is a string
             representing the private key URI, and the second element is an
             instance of the public key.
 
diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py
@@ -66,7 +66,7 @@ class AzureSigner(Signer):
 
     SCHEME = "azurekms"
 
-    def __init__(self, az_key_uri: str, public_key: Key):
+    def __init__(self, az_key_uri: str, public_key: SSlibKey):
         if AZURE_IMPORT_ERROR:
             raise UnsupportedLibraryError(AZURE_IMPORT_ERROR)
 
@@ -86,7 +86,7 @@ def __init__(self, az_key_uri: str, public_key: Key):
         self._public_key = public_key
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @staticmethod
@@ -129,7 +129,7 @@ def _create_crypto_client(
             raise e
 
     @staticmethod
-    def _get_signature_algorithm(public_key: Key) -> SignatureAlgorithm:
+    def _get_signature_algorithm(public_key: SSlibKey) -> SignatureAlgorithm:
         """Return SignatureAlgorithm after parsing the public key"""
         if public_key.keytype != "ecdsa":
             logger.info("only EC keys are supported for now")
@@ -183,6 +183,9 @@ def from_priv_key_uri(
         public_key: Key,
         secrets_handler: SecretsHandler | None = None,
     ) -> AzureSigner:
+        if not isinstance(public_key, SSlibKey):
+            raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
         uri = parse.urlparse(priv_key_uri)
 
         if uri.scheme != cls.SCHEME:
@@ -192,7 +195,7 @@ def from_priv_key_uri(
         return cls(az_key_uri, public_key)
 
     @classmethod
-    def import_(cls, az_vault_name: str, az_key_name: str) -> tuple[str, Key]:
+    def import_(cls, az_vault_name: str, az_key_name: str) -> tuple[str, SSlibKey]:
         """Load key and signer details from KMS
 
         Returns the private key uri and the public key. This method should only
diff --git a/securesystemslib/signer/_crypto_signer.py b/securesystemslib/signer/_crypto_signer.py
@@ -187,7 +187,7 @@ def __init__(
         self._public_key = public_key
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @property
diff --git a/securesystemslib/signer/_gcp_signer.py b/securesystemslib/signer/_gcp_signer.py
@@ -56,7 +56,7 @@ class GCPSigner(Signer):
 
     SCHEME = "gcpkms"
 
-    def __init__(self, gcp_keyid: str, public_key: Key):
+    def __init__(self, gcp_keyid: str, public_key: SSlibKey):
         if GCP_IMPORT_ERROR:
             raise exceptions.UnsupportedLibraryError(GCP_IMPORT_ERROR)
 
@@ -66,7 +66,7 @@ def __init__(self, gcp_keyid: str, public_key: Key):
         self.client = kms.KeyManagementServiceClient()
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @classmethod
@@ -76,6 +76,9 @@ def from_priv_key_uri(
         public_key: Key,
         secrets_handler: SecretsHandler | None = None,
     ) -> GCPSigner:
+        if not isinstance(public_key, SSlibKey):
+            raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
         uri = parse.urlparse(priv_key_uri)
 
         if uri.scheme != cls.SCHEME:
@@ -84,7 +87,7 @@ def from_priv_key_uri(
         return cls(uri.path, public_key)
 
     @classmethod
-    def import_(cls, gcp_keyid: str) -> tuple[str, Key]:
+    def import_(cls, gcp_keyid: str) -> tuple[str, SSlibKey]:
         """Load key and signer details from KMS
 
         Returns the private key uri and the public key. This method should only
diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py
@@ -128,7 +128,7 @@ def __init__(
         self,
         hsm_keyid: int,
         token_filter: dict[str, str],
-        public_key: Key,
+        public_key: SSlibKey,
         pin_handler: SecretsHandler,
     ):
         if CRYPTO_IMPORT_ERROR:
@@ -149,7 +149,7 @@ def __init__(
         self.pin_handler = pin_handler
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @staticmethod
diff --git a/securesystemslib/signer/_vault_signer.py b/securesystemslib/signer/_vault_signer.py
@@ -40,7 +40,7 @@ class VaultSigner(Signer):
 
     SCHEME = "hv"
 
-    def __init__(self, hv_key_name: str, public_key: Key, hv_key_version: int):
+    def __init__(self, hv_key_name: str, public_key: SSlibKey, hv_key_version: int):
         if VAULT_IMPORT_ERROR:
             raise UnsupportedLibraryError(VAULT_IMPORT_ERROR)
 
@@ -76,7 +76,7 @@ def sign(self, payload: bytes) -> Signature:
         return Signature(self.public_key.keyid, sig)
 
     @property
-    def public_key(self) -> Key:
+    def public_key(self) -> SSlibKey:
         return self._public_key
 
     @classmethod
@@ -86,6 +86,9 @@ def from_priv_key_uri(
         public_key: Key,
         secrets_handler: SecretsHandler | None = None,
     ) -> VaultSigner:
+        if not isinstance(public_key, SSlibKey):
+            raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
         uri = parse.urlparse(priv_key_uri)
 
         if uri.scheme != cls.SCHEME:
@@ -96,7 +99,7 @@ def from_priv_key_uri(
         return cls(name, public_key, int(version))
 
     @classmethod
-    def import_(cls, hv_key_name: str) -> tuple[str, Key]:
+    def import_(cls, hv_key_name: str) -> tuple[str, SSlibKey]:
         """Load key and signer details from HashiCorp Vault.
 
         If multiple keys exist in the vault under the passed name, only the
