GPG public key schemas are incompatible with both TUF and in-toto specifications #450
Description
Example:
{
"hashes": [
"pgp+SHA2"
],
"keyid": "7b3abb26b97b655ab9296bd15b0bd02e1c768c43",
"keyval": {
"private": "",
"public": {
"e": "010001",
"n": "e9ad391502ae32bd4fcc41a0f9970f8901ed6ad1c5c128c02add22721cdc22318b64bec9f9467b6949b19fc2e98ce41906125ad45d0b138f1ad6c5da7bde38092d9e3e697ce8b8373b150b57342dd921d634b873f258f5c15559b52921fa4bb7f482ec43a1c85c3385bd520cedbdc16b2524a64aecf32ac5690e6dd4ee0210a975e1b6c5af164ea69ca64533422432070511068730594793885567bb8f7cffacf6eb5ffdc640e898e599579b21b15e497f5c052112c5fdf7974e7056cd1564fe84f207cb946d1efc521e5031299e6275936e6f9464a735bd4edc8e0cde3fe5b1bf6d3bc1ed12993b865d8fcb9d9a2b2ef2df30cb7f0ab4c0dea819ea017ff195"
}
},
"method": "pgp+rsa-pkcsv1.5",
"type": "rsa"
}
and the schemas it uses:
GPG_RSA_PUBKEYVAL_SCHEMA = SCHEMA.Object(
object_name="GPG_RSA_PUBKEYVAL_SCHEMA", e=SCHEMA.AnyString(), n=HEX_SCHEMA
)
_GPG_RSA_PUBKEY_SCHEMA = SCHEMA.Object(
object_name="GPG_RSA_PUBKEY_SCHEMA",
type=SCHEMA.String("rsa"),
method=SCHEMA.String(GPG_RSA_PUBKEY_METHOD_STRING),
hashes=SCHEMA.ListOf(SCHEMA.String(GPG_HASH_ALGORITHM_STRING)),
creation_time=SCHEMA.Optional(UNIX_TIMESTAMP_SCHEMA),
validity_period=SCHEMA.Optional(SCHEMA.Integer(lo=0)),
keyid=KEYID_SCHEMA,
keyval=SCHEMA.Object(
public=GPG_RSA_PUBKEYVAL_SCHEMA, private=SCHEMA.String("")
),
)
This contradicts with the "rsa" type defined in both TUF and in-toto specifications (which define keyval.public as a PEM string). These keys work in in-toto because there's code in in-toto that uses a schema check to figure out which verify function to call, but the metadata is still not spec compliant, and would be impossible for another implementation to use without reverse engineering the reference implementation.