Update doc for ecdsa-sha2-nistp384 schema

Update the documentation regarding the supported older versions of the ecdsa schemas. The function documentation of securesystemslib.keys.create_signature() doesn't mention the support for the older 'ecdsa-sha2-nistp256' schema. Another problem is the comments in the code suggest we are supporting the creation of 'ecdsa-sha2-nistp384' signatures which is not true. If you read the securesystemslib.ecdsa_keys.create_signature() function you will find we only support 'ecdsa-sha2-nistp256'. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
secure-systems-lab · Feb 16, 2021 · 645ee74 · 645ee74
1 parent d608a3f
commit 645ee74
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/securesystemslib/keys.py b/securesystemslib/keys.py
@@ -611,14 +611,18 @@ def create_signature(key_dict, data):
 
     The following signature schemes are supported:
 
-    'RSASSA-PSS'
+    'rsassa-pss-(md5|sha1|sha224|sha256|sha384|sha512)'
+    'rsa-pkcs1v15-(md5|sha1|sha224|sha256|sha384|sha512)'
     RFC3447 - RSASSA-PSS
     http://www.ietf.org/rfc/rfc3447.
 
     'ed25519'
     ed25519 - high-speed high security signatures
     http://ed25519.cr.yp.to/
 
+    'ecdsa-sha2-nistp256'
+    https://tools.ietf.org/html/rfc5656
+
     Which signature to generate is determined by the key type of 'key_dict'
     and the available cryptography library specified in 'settings'.
 
@@ -684,7 +688,7 @@ def create_signature(key_dict, data):
 
   # Signing the 'data' object requires a private key. Signing schemes that are
   # currently supported are: 'ed25519', 'ecdsa-sha2-nistp256',
-  # 'ecdsa-sha2-nistp384' and rsa schemes defined in
+  # and rsa schemes defined in
   # `securesystemslib.keys.RSA_SIGNATURE_SCHEMES`.
   # RSASSA-PSS and RSA-PKCS1v15 keys and signatures can be generated and
   # verified by rsa_keys.py, and Ed25519 keys by PyNaCl and PyCA's
@@ -713,9 +717,9 @@ def create_signature(key_dict, data):
     sig, scheme = securesystemslib.ed25519_keys.create_signature(
         public, private, data, scheme)
 
-  # Continue to support keytypes of ecdsa-sha2-nistp256 and ecdsa-sha2-nistp384
+  # Continue to support keytypes of ecdsa-sha2-nistp256
   # for backwards compatibility with older securesystemslib releases
-  elif keytype in ['ecdsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384']:
+  elif keytype in ['ecdsa', 'ecdsa-sha2-nistp256',]:
     sig, scheme = securesystemslib.ecdsa_keys.create_signature(
         public, private, data, scheme)