Conform rsa key from an AWS key (repository-service-tuf#445)

Signed-off-by: Martin Vrachev <[email protected]>
Co-authored-by: Kairo Araujo <[email protected]>

repository_service_tuf/cli/admin/ceremony.py

@@ -25,6 +25,7 @@
     RSTUFKey,
     ServiceSettings,
     TUFManagement,
+    _conform_rsa_key,
     get_key,
     get_supported_schemes_for_key_type,
     load_payload,
@@ -407,6 +408,9 @@ def _configure_keys(
                     f"Enter {role_cyan}`s [green]public key hash[/]"
                 )
                 if public.strip() != "":
+                    if key_type == KeyType.KEY_TYPE_RSA.value:
+                        public = _conform_rsa_key(public)
+
                     break
 
             name = prompt.Prompt.ask(

repository_service_tuf/helpers/tuf.py

@@ -2,6 +2,7 @@
 #
 # SPDX-License-Identifier: MIT
 
+import base64
 import copy
 import json
 from dataclasses import asdict, dataclass, field
@@ -10,6 +11,7 @@
 from typing import Any, Dict, List, Literal, Optional, Tuple
 
 import click
+from cryptography.hazmat.primitives import serialization
 from rich import prompt, table
 from rich.console import Console
 from securesystemslib.exceptions import (  # type: ignore
@@ -439,6 +441,22 @@ def get_supported_schemes_for_key_type(key_type: str) -> List[str]:
     return supported_schemes
 
 
+def _conform_rsa_key(input_key: str) -> str:
+    "Conform public key in base64 format to format used by securesystemslib."
+    try:
+        kms_pubkey = serialization.load_der_public_key(
+            base64.b64decode(input_key)
+        )
+        public_key_pem = kms_pubkey.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        ).decode("utf-8")
+
+        return public_key_pem
+    except Exception:
+        return input_key
+
+
 def get_key(
     role: Optional[str] = None,
     key_type: str = "",

tests/unit/helpers/test_tuf.py

@@ -38,6 +38,17 @@ def test__eq__(self):
 
 
 class TestTUFHelperFunctions:
+    def test__conform_rsa_in_aws_format(self):
+        pub_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrJWZ7ieuDiQTlKVcCNx1/pT+8jN1BOMM2xM511Hp1TBi09pSgqsw9pS/o8oV24Q2Q9ebjbKIwqjhTZYLnKOUk4pKMgL56MvqXJLTUvR+9IC1vPuEURUGBjZqew7A11BbdII3BJVVH/F9rKvgiDLZ9WzM5rZGzQi4L52u4Gb3uSLF0QEXBx7i58DF7zs34GpZqgseKN0Q6kb8Vp4VcoDWeW+OCbWNIJd0Bas7ojUi9IosUlJJNE5f2UxqDCNwtf6PiEcYfulU3zIpO3rAuVJ/iKzBMQ61FtsaUd3M4kjsozoAEK3WSqW+RtuYVj5Rr0HYUFB2QXOsDVzIdZ7GLicXQIDAQAB"  # noqa
+        result = tuf._conform_rsa_key(pub_key)
+        expected_result = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrJWZ7ieuDiQTlKVcCNx\n1/pT+8jN1BOMM2xM511Hp1TBi09pSgqsw9pS/o8oV24Q2Q9ebjbKIwqjhTZYLnKO\nUk4pKMgL56MvqXJLTUvR+9IC1vPuEURUGBjZqew7A11BbdII3BJVVH/F9rKvgiDL\nZ9WzM5rZGzQi4L52u4Gb3uSLF0QEXBx7i58DF7zs34GpZqgseKN0Q6kb8Vp4VcoD\nWeW+OCbWNIJd0Bas7ojUi9IosUlJJNE5f2UxqDCNwtf6PiEcYfulU3zIpO3rAuVJ\n/iKzBMQ61FtsaUd3M4kjsozoAEK3WSqW+RtuYVj5Rr0HYUFB2QXOsDVzIdZ7GLic\nXQIDAQAB\n-----END PUBLIC KEY-----\n"  # noqa
+        assert result == expected_result
+
+    def test__conform_rsa_key_already_correct_format(self):
+        pub_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcpCDgsz+2pIbvOHte1k\nnC78oeiKACUuo4/0QBwOg+SB6gIh36OEPo0snoxqMDRk4DwksHxCw02jUlWIc1qp\nACvTtpBNk1zD+akbBTpqmBIiZrnf3n2MbiZUdS0DxpHFUhrAsalf60Wzeb9K5cIK\nQJwGCM/TdoZWFGnll6hkpgbK2bl+68oBmvSyL6Gpu66EbmnVGbdKk6CzQzVLq2AD\nkVHaCLvMO4xIT+BzeqNY5FLV6/aa2pxkNPl/lupbkg/lopIdNRCRUSNvKMGEu47L\nVc1iCP1MuV62jhbhqXuzlAEfT6KPFH/drrOfJhWIIdkvdnsNDJuN7eJ637gwiqNe\nDwIDAQAB\n-----END PUBLIC KEY-----\n"  # noqa
+        result = tuf._conform_rsa_key(pub_key)
+        assert result == pub_key
+
     def test_load_key(self, monkeypatch):
         monkeypatch.setattr(
             tuf,