Add gpg support and custom (sub)process module

.coveragerc

@@ -2,6 +2,7 @@
 branch = True
 
 omit =
+  */python?.?/*
   */securesystemslib/_vendor/*
   */tests/*
   */site-packages/*

.travis.yml

@@ -6,8 +6,6 @@ matrix:
   include:
     - python: "2.7"
       env: TOXENV=py27
-    - python: "3.4"
-      env: TOXENV=py34
     - python: "3.5"
       env: TOXENV=py35
     - python: "3.6"

README.rst

@@ -36,6 +36,13 @@ Library.  For key storage, RSA keys may be stored in PEM or JSON format, and
 Ed25519 keys in JSON format.  Generating, importing, and loading cryptographic
 key files can be done with functions available in securesystemslib.
 
+securesystemslib also provides an interface to the `GNU Privacy Guard (GPG)
+<https://gnupg.org/>`_ command line tool, with functions to create RSA and DSA
+signatures using private keys in a local gpg keychain; to export the
+corresponding public keys in a *pythonic* format; and to verify the created
+signatures using the exported keys. The latter does not require the gpg command
+line tool to be installed, instead the `cryptography` library is used.
+
 Installation
 ++++++++++++
 
@@ -166,7 +173,7 @@ cryptographic operations.
 
     >>> from securesystemslib.keys import *
 
-    >>> data = 'The quick brown fox jumps over the lazy dog'
+    >>> data = b'The quick brown fox jumps over the lazy dog'
     >>> ed25519_key = generate_ed25519_key()
     >>> signature = create_signature(ed25519_key, data)
     >>> rsa_key = generate_rsa_key(2048)
@@ -182,7 +189,7 @@ Verify ECDSA, Ed25519, and RSA Signatures
 
     # Continuing from the previous sections . . .
 
-    >>> data = 'The quick brown fox jumps over the lazy dog'
+    >>> data = b'The quick brown fox jumps over the lazy dog'
     >>> ed25519_key = generate_ed25519_key()
     >>> signature = create_signature(ed25519_key, data)
     >>> verify_signature(ed25519_key, signature, data)
@@ -327,3 +334,32 @@ Miscellaneous functions
     >>> public_pem = ecdsa_key['keyval']['public']
     >>> ecdsa_key2 = import_ecdsakey_from_pem(public_pem)
 
+
+
+
+GnuPG interface
+~~~~~~~~~~~~~~~
+
+Signature creation and public key export requires installation of the `gpg` or
+`gpg2` command line tool, which may be downloaded from
+`https://gnupg.org/download <https://gnupg.org/>`_. It is
+is also needed to generate the supported RSA or DSA signing keys (see `gpg` man
+pages for detailed instructions). Sample keys are available in a test keyring
+at `tests/gpg_keyrings/rsa`, which may be passed to the signing and export
+functions using the `homedir` argument (if not passed the default keyring is
+used).
+
+::
+
+    >>> import securesystemslib.gpg.functions as gpg
+
+    >>> data = b"The quick brown fox jumps over the lazy dog"
+
+    >>> signing_key_id = "8465A1E2E0FB2B40ADB2478E18FB3F537E0C8A17"
+    >>> keyring = "tests/gpg_keyrings/rsa"
+
+    >>> signature = gpg.create_signature(data, signing_key_id, homedir=keyring)
+    >>> public_key = gpg.export_pubkey(non_default_signing_key, homedir=keyring)
+
+    >>> gpg.verify_signature(signature, public_key, data)
+    True

ci-requirements.txt

@@ -2,6 +2,8 @@ cryptography
 pynacl
 six
 colorama
+python-dateutil
+subprocess32; python_version < '3'
 mock; python_version < '3.3'
 # Pin to versions supported by `coveralls` (see .travis.yml)
 # https://github.com/coveralls-clients/coveralls-python/releases/tag/1.8.1

dev-requirements.txt

@@ -6,5 +6,7 @@ coveralls==1.3.0
 coverage==4.5.1
 colorama==0.3.9
 mock==2.0.0; python_version < '3.3'
+subprocess32==3.5.4; python_version < '3'
+python-dateutil==2.8.0
 
 --editable .

requirements.txt

@@ -2,3 +2,5 @@ cryptography
 pynacl
 six
 colorama
+python-dateutil==2.8.0
+subprocess32; python_version < '3'

securesystemslib/formats.py

@@ -531,6 +531,101 @@
                                TIMESTAMP_SCHEMA, MIRROR_SCHEMA])
 
 
+ANY_STRING_SCHEMA = SCHEMA.AnyString()
+LIST_OF_ANY_STRING_SCHEMA = SCHEMA.ListOf(ANY_STRING_SCHEMA)
+
+def _create_gpg_pubkey_with_subkey_schema(pubkey_schema):
+  """Helper method to extend the passed public key schema with an optional
+  dictionary of sub public keys "subkeys" with the same schema."""
+  schema = pubkey_schema
+  subkey_schema_tuple =  ("subkeys", SCHEMA.Optional(
+        SCHEMA.DictOf(
+          key_schema=KEYID_SCHEMA,
+          value_schema=pubkey_schema
+          )
+        )
+      )
+  # Any subclass of `securesystemslib.schema.Object` stores the schemas that
+  # define the attributes of the object in its `_required` property, even if
+  # such a schema is of type `Optional`.
+  # TODO: Find a way that does not require to access a protected member
+  schema._required.append(subkey_schema_tuple) # pylint: disable=protected-access
+  return schema
+
+GPG_HASH_ALGORITHM_STRING = "pgp+SHA2"
+GPG_RSA_PUBKEY_METHOD_STRING = "pgp+rsa-pkcsv1.5"
+GPG_DSA_PUBKEY_METHOD_STRING = "pgp+dsa-fips-180-2"
+
+GPG_RSA_PUBKEYVAL_SCHEMA = SCHEMA.Object(
+  object_name = "GPG_RSA_PUBKEYVAL_SCHEMA",
+  e = SCHEMA.AnyString(),
+  n = HEX_SCHEMA
+)
+
+
+# We have to define GPG_RSA_PUBKEY_SCHEMA in two steps, because it is
+# self-referential. Here we define a shallow _GPG_RSA_PUBKEY_SCHEMA, which we
+# use below to create the self-referential GPG_RSA_PUBKEY_SCHEMA.
+_GPG_RSA_PUBKEY_SCHEMA = SCHEMA.Object(
+  object_name = "GPG_RSA_PUBKEY_SCHEMA",
+  type = SCHEMA.String("rsa"),
+  method = SCHEMA.String(GPG_RSA_PUBKEY_METHOD_STRING),
+  hashes = SCHEMA.ListOf(SCHEMA.String(GPG_HASH_ALGORITHM_STRING)),
+  creation_time = SCHEMA.Optional(UNIX_TIMESTAMP_SCHEMA),
+  validity_period = SCHEMA.Optional(SCHEMA.Integer(lo=0)),
+  keyid = KEYID_SCHEMA,
+  keyval = SCHEMA.Object(
+      public = GPG_RSA_PUBKEYVAL_SCHEMA,
+      private = SCHEMA.String("")
+    )
+)
+GPG_RSA_PUBKEY_SCHEMA = _create_gpg_pubkey_with_subkey_schema(
+    _GPG_RSA_PUBKEY_SCHEMA)
+
+
+GPG_DSA_PUBKEYVAL_SCHEMA = SCHEMA.Object(
+  object_name = "GPG_DSA_PUBKEYVAL_SCHEMA",
+  y = HEX_SCHEMA,
+  p = HEX_SCHEMA,
+  q = HEX_SCHEMA,
+  g = HEX_SCHEMA
+)
+
+
+# We have to define GPG_DSA_PUBKEY_SCHEMA in two steps, because it is
+# self-referential. Here we define a shallow _GPG_DSA_PUBKEY_SCHEMA, which we
+# use below to create the self-referential GPG_DSA_PUBKEY_SCHEMA.
+_GPG_DSA_PUBKEY_SCHEMA = SCHEMA.Object(
+  object_name = "GPG_DSA_PUBKEY_SCHEMA",
+  type = SCHEMA.String("dsa"),
+  method = SCHEMA.String(GPG_DSA_PUBKEY_METHOD_STRING),
+  hashes = SCHEMA.ListOf(SCHEMA.String(GPG_HASH_ALGORITHM_STRING)),
+  creation_time = SCHEMA.Optional(UNIX_TIMESTAMP_SCHEMA),
+  validity_period = SCHEMA.Optional(SCHEMA.Integer(lo=0)),
+  keyid = KEYID_SCHEMA,
+  keyval = SCHEMA.Object(
+      public = GPG_DSA_PUBKEYVAL_SCHEMA,
+      private = SCHEMA.String("")
+    )
+)
+GPG_DSA_PUBKEY_SCHEMA = _create_gpg_pubkey_with_subkey_schema(
+    _GPG_DSA_PUBKEY_SCHEMA)
+
+
+GPG_PUBKEY_SCHEMA = SCHEMA.OneOf([GPG_RSA_PUBKEY_SCHEMA,
+    GPG_DSA_PUBKEY_SCHEMA])
+
+
+GPG_SIGNATURE_SCHEMA = SCHEMA.Object(
+    object_name = "SIGNATURE_SCHEMA",
+    keyid = KEYID_SCHEMA,
+    short_keyid = SCHEMA.Optional(KEYID_SCHEMA),
+    other_headers = HEX_SCHEMA,
+    signature = HEX_SCHEMA,
+    info = SCHEMA.Optional(SCHEMA.Any()),
+  )
+
+
 
 def datetime_to_unix_timestamp(datetime_object):
   """

securesystemslib/gpg/__init__.py

@@ -0,0 +1,23 @@
+"""
+<Module Name>
+  gpg
+
+<Author>
+  Santiago Torres-Arias <[email protected]>
+
+<Started>
+  Nov 15, 2017
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  This module was written due to the lack of other python (such as pygpg)
+  modules that can provide an abstraction to the RFC4480 encoded messages from
+  GPG. The closest candidate we could find was the python bindings for gpgme,
+  we oped to use a Popen-based python-only construction given that gpgme is
+  often shipped separately and other popular tools using gpg (e.g., git) don't
+  use these bindings either. This is because users willing to use gpg signing
+  are almost guaranteed to have gpg installed, yet the same assumption can't be
+  made for the gpgme python bindings.
+"""