ngclient: add EnvelopeUnwrapper implementation

Lukas Puehringer · Lukas Puehringer · commit d859bac7f8ac · 2024-02-21T16:35:20.000+01:00
Add Unwrapper implementation for DSSE Envelope. The order of
deserialization and signature verification differs from traditional
Metadata.

Signed-off-by: Lukas Puehringer &lt;lukas.puehringer@nyu.edu&gt;
diff --git a/tuf/ngclient/_internal/wrapping.py b/tuf/ngclient/_internal/wrapping.py
@@ -11,6 +11,7 @@
 
 from tuf.api import exceptions
 from tuf.api._payload import Root, T, Targets
+from tuf.api.dsse import Envelope
 from tuf.api.metadata import Metadata
 
 Delegator = Union[Root, Targets]
@@ -83,3 +84,49 @@ def unwrap(
             delegator.verify_delegate(role_name, md.signed_bytes, md.signatures)
 
         return md.signed, md.signed_bytes, md.signatures
+
+
+class EnvelopeUnwrapper(Unwrapper):
+    """Unwrapper implementation for Envelope payloads.
+
+    Order of unwrapping:
+    1. Deserializer wrapper only
+    2. Validate outer payload type
+    3. Verify signatures
+    4. Validate inner payload type
+    5. Deserialize payload
+
+    """
+
+    @staticmethod
+    def _validate_envelope_payload_type(envelope: Envelope) -> None:
+        # pylint: disable=protected-access
+        if envelope.payload_type != Envelope._DEFAULT_PAYLOAD_TYPE:
+            raise exceptions.RepositoryError(
+                f"Expected '{Envelope._DEFAULT_PAYLOAD_TYPE}', "
+                f"got '{envelope.payload_type}'"
+            )
+
+    def unwrap(
+        self,
+        role_cls: Type[T],
+        wrapper: bytes,
+        delegator: Optional[Delegator] = None,
+        role_name: Optional[str] = None,
+    ) -> Tuple[T, bytes, Dict[str, Signature]]:  # noqa: D102
+        envelope = Envelope[T].from_bytes(wrapper)
+
+        # TODO: Envelope stores signatures as list, but `verify_delegate`
+        # expects a dict. Should we change the envelope model?
+        signatures = {sig.keyid: sig for sig in envelope.signatures}
+
+        self._validate_envelope_payload_type(envelope)
+        if delegator:
+            if role_name is None:
+                role_name = role_cls.type
+            delegator.verify_delegate(role_name, envelope.pae(), signatures)
+
+        signed = envelope.get_signed()
+        self._validate_signed_type(signed, role_cls)
+
+        return signed, envelope.pae(), signatures
