How to use the securesystemslib.schema function in securesystemslib

def test_build_dict_conforming_to_schema(self):
    # Test construction of a few metadata formats using
    # build_dict_conforming_to_schema().

    # Try the wrong type of schema object.
    STRING_SCHEMA = securesystemslib.schema.AnyString()

    with self.assertRaises(ValueError):
      tuf.formats.build_dict_conforming_to_schema(
          STRING_SCHEMA, string='some string')

    # Try building Timestamp metadata.
    spec_version = tuf.SPECIFICATION_VERSION
    version = 8
    length = 88
    hashes = {'sha256': '3c7fe3eeded4a34'}
    expires = '1985-10-21T13:20:00Z'
    filedict = {'snapshot.json': {'length': length, 'hashes': hashes}}


    # Try with and without _type and spec_version, both of which are
    # automatically populated if they are not included.

RSA_PUBKEYVAL_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEYVAL_SCHEMA",
  e = ssl_schema.AnyString(),
  n = ssl_formats.HEX_SCHEMA
)


# We have to define RSA_PUBKEY_SCHEMA in two steps, because it is
# self-referential. Here we define a shallow _RSA_PUBKEY_SCHEMA, which we use
# below to create the self-referential RSA_PUBKEY_SCHEMA.
_RSA_PUBKEY_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEY_SCHEMA",
  type = ssl_schema.String("rsa"),
  method = ssl_schema.String(PGP_RSA_PUBKEY_METHOD_STRING),
  hashes = ssl_schema.ListOf(ssl_schema.String(GPG_HASH_ALGORITHM_STRING)),
  creation_time = ssl_schema.Optional(ssl_formats.UNIX_TIMESTAMP_SCHEMA),
  validity_period = ssl_schema.Optional(ssl_schema.Integer(lo=0)),
  keyid = ssl_formats.KEYID_SCHEMA,
  keyval = ssl_schema.Object(
      public = RSA_PUBKEYVAL_SCHEMA,
      private = ssl_schema.String("")
    )
)
RSA_PUBKEY_SCHEMA = _create_pubkey_with_subkey_schema(
    _RSA_PUBKEY_SCHEMA)


DSA_PUBKEYVAL_SCHEMA = ssl_schema.Object(
  object_name = "DSA_PUBKEYVAL_SCHEMA",
  y = ssl_formats.HEX_SCHEMA,
  p = ssl_formats.HEX_SCHEMA,

The schemas can be verified using the following methods inherited from
  securesystemslib.schema:

  in_toto.formats..check_match()
  in_toto.formats..matches()

  `check_match` raises a securesystemslib.exceptions.FormatError and `matches`
  returns False if the verified object does not match the schema (True
  otherwise).

"""
import securesystemslib.schema as ssl_schema

# pylint: disable=bad-whitespace
PARAMETER_DICTIONARY_KEY = ssl_schema.RegularExpression(r'[a-zA-Z0-9_-]+')
PARAMETER_DICTIONARY_SCHEMA = ssl_schema.DictOf(
    key_schema = PARAMETER_DICTIONARY_KEY,
    value_schema = ssl_schema.AnyString())

import binascii
import calendar
import re
import string
import datetime
import time
import six

import securesystemslib.schema as SCHEMA
import securesystemslib.exceptions

# Note that in the schema definitions below, the 'SCHEMA.Object' types allow
# additional keys which are not defined. Thus, any additions to them will be
# easily backwards compatible with clients that are already deployed.

ANY_STRING_SCHEMA = SCHEMA.AnyString()
LIST_OF_ANY_STRING_SCHEMA = SCHEMA.ListOf(ANY_STRING_SCHEMA)

# A datetime in 'YYYY-MM-DDTHH:MM:SSZ' ISO 8601 format.  The "Z" zone designator
# for the zero UTC offset is always used (i.e., a numerical offset is not
# supported.)  Example: '2015-10-21T13:20:00Z'.  Note:  This is a simple format
# check, and an ISO8601 string should be fully verified when it is parsed.
ISO8601_DATETIME_SCHEMA = SCHEMA.RegularExpression(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z')

# A Unix/POSIX time format.  An integer representing the number of seconds
# since the epoch (January 1, 1970.)  Metadata uses this format for the
# 'expires' field.  Set 'hi' to the upper timestamp limit (year 2038), the max
# value of an int.
UNIX_TIMESTAMP_SCHEMA = SCHEMA.Integer(lo=0, hi=2147483647)

# A hexadecimal value in '23432df87ab..' format.
HEX_SCHEMA = SCHEMA.RegularExpression(r'[a-fA-F0-9]+')

RSA_PUBKEYVAL_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEYVAL_SCHEMA",
  e = ssl_schema.AnyString(),
  n = ssl_formats.HEX_SCHEMA
)


# We have to define RSA_PUBKEY_SCHEMA in two steps, because it is
# self-referential. Here we define a shallow _RSA_PUBKEY_SCHEMA, which we use
# below to create the self-referential RSA_PUBKEY_SCHEMA.
_RSA_PUBKEY_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEY_SCHEMA",
  type = ssl_schema.String("rsa"),
  method = ssl_schema.String(PGP_RSA_PUBKEY_METHOD_STRING),
  hashes = ssl_schema.ListOf(ssl_schema.String(GPG_HASH_ALGORITHM_STRING)),
  keyid = ssl_formats.KEYID_SCHEMA,
  keyval = ssl_schema.Object(
      public = RSA_PUBKEYVAL_SCHEMA,
      private = ssl_schema.String("")
    )
)
RSA_PUBKEY_SCHEMA = _create_pubkey_with_subkey_schema(
    _RSA_PUBKEY_SCHEMA)


DSA_PUBKEYVAL_SCHEMA = ssl_schema.Object(
  object_name = "DSA_PUBKEYVAL_SCHEMA",
  y = ssl_formats.HEX_SCHEMA,
  p = ssl_formats.HEX_SCHEMA,
  q = ssl_formats.HEX_SCHEMA,
  g = ssl_formats.HEX_SCHEMA

def _create_pubkey_with_subkey_schema(pubkey_schema):
  """Helper method to extend the passed public key schema with an optional
  dictionary of sub public keys "subkeys" with the same schema."""
  schema = pubkey_schema
  subkey_schema_tuple =  ("subkeys", ssl_schema.Optional(
        ssl_schema.DictOf(
          key_schema=ssl_formats.KEYID_SCHEMA,
          value_schema=pubkey_schema
          )
        )
      )
  # Any subclass of `securesystemslib.schema.Object` stores the schemas that
  # define the attributes of the object in its `_required` property, even if
  # such a schema is of type `Optional`.
  # TODO: Find a way that does not require to access a protected member
  schema._required.append(subkey_schema_tuple) # pylint: disable=protected-access
  return schema

LIST_OF_ANY_STRING_SCHEMA = SCHEMA.ListOf(ANY_STRING_SCHEMA)

# A datetime in 'YYYY-MM-DDTHH:MM:SSZ' ISO 8601 format.  The "Z" zone designator
# for the zero UTC offset is always used (i.e., a numerical offset is not
# supported.)  Example: '2015-10-21T13:20:00Z'.  Note:  This is a simple format
# check, and an ISO8601 string should be fully verified when it is parsed.
ISO8601_DATETIME_SCHEMA = SCHEMA.RegularExpression(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z')

# A Unix/POSIX time format.  An integer representing the number of seconds
# since the epoch (January 1, 1970.)  Metadata uses this format for the
# 'expires' field.  Set 'hi' to the upper timestamp limit (year 2038), the max
# value of an int.
UNIX_TIMESTAMP_SCHEMA = SCHEMA.Integer(lo=0, hi=2147483647)

# A hexadecimal value in '23432df87ab..' format.
HEX_SCHEMA = SCHEMA.RegularExpression(r'[a-fA-F0-9]+')

HASH_SCHEMA = HEX_SCHEMA

# A dict in {'sha256': '23432df87ab..', 'sha512': '34324abc34df..', ...} format.
HASHDICT_SCHEMA = SCHEMA.DictOf(
  key_schema = SCHEMA.AnyString(),
  value_schema = HASH_SCHEMA)

# Uniform Resource Locator identifier (e.g., 'https://www.updateframework.com/').
# TODO: Some level of restriction here would be good....  Note that I pulled
#       this from securesystemslib, since it's neither sophisticated nor used
#       by anyone else.
URL_SCHEMA = SCHEMA.AnyString()

# A key identifier (e.g., a hexadecimal value identifying an RSA key).
KEYID_SCHEMA = HASH_SCHEMA

)
      )
  # Any subclass of `securesystemslib.schema.Object` stores the schemas that
  # define the attributes of the object in its `_required` property, even if
  # such a schema is of type `Optional`.
  # TODO: Find a way that does not require to access a protected member
  schema._required.append(subkey_schema_tuple) # pylint: disable=protected-access
  return schema

GPG_HASH_ALGORITHM_STRING = "pgp+SHA2"
PGP_RSA_PUBKEY_METHOD_STRING = "pgp+rsa-pkcsv1.5"
PGP_DSA_PUBKEY_METHOD_STRING = "pgp+dsa-fips-180-2"

RSA_PUBKEYVAL_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEYVAL_SCHEMA",
  e = ssl_schema.AnyString(),
  n = ssl_formats.HEX_SCHEMA
)


# We have to define RSA_PUBKEY_SCHEMA in two steps, because it is
# self-referential. Here we define a shallow _RSA_PUBKEY_SCHEMA, which we use
# below to create the self-referential RSA_PUBKEY_SCHEMA.
_RSA_PUBKEY_SCHEMA = ssl_schema.Object(
  object_name = "RSA_PUBKEY_SCHEMA",
  type = ssl_schema.String("rsa"),
  method = ssl_schema.String(PGP_RSA_PUBKEY_METHOD_STRING),
  hashes = ssl_schema.ListOf(ssl_schema.String(GPG_HASH_ALGORITHM_STRING)),
  creation_time = ssl_schema.Optional(ssl_formats.UNIX_TIMESTAMP_SCHEMA),
  validity_period = ssl_schema.Optional(ssl_schema.Integer(lo=0)),
  keyid = ssl_formats.KEYID_SCHEMA,
  keyval = ssl_schema.Object(

def _create_pubkey_with_subkey_schema(pubkey_schema):
  """Helper method to extend the passed public key schema with an optional
  dictionary of sub public keys "subkeys" with the same schema."""
  schema = pubkey_schema
  subkey_schema_tuple =  ("subkeys", ssl_schema.Optional(
        ssl_schema.DictOf(
          key_schema=ssl_formats.KEYID_SCHEMA,
          value_schema=pubkey_schema
          )
        )
      )
  # Any subclass of `securesystemslib.schema.Object` stores the schemas that
  # define the attributes of the object in its `_required` property, even if
  # such a schema is of type `Optional`.
  # TODO: Find a way that does not require to access a protected member
  schema._required.append(subkey_schema_tuple) # pylint: disable=protected-access
  return schema

# the signing key.  I debated making the signature schema not contain the key
# ID and instead have the signatures of a file be a dictionary with the key
# being the keyid and the value being the signature schema without the keyid.
# That would be under the argument that a key should only be able to sign a
# file once.
SIGNATURE_SCHEMA = SCHEMA.Object(
  object_name = 'SIGNATURE_SCHEMA',
  keyid = KEYID_SCHEMA,
  sig = HEX_SCHEMA)

# A dict where the dict keys hold a keyid and the dict values a key object.
KEYDICT_SCHEMA = SCHEMA.DictOf(
  key_schema = KEYID_SCHEMA,
  value_schema = KEY_SCHEMA)

ANY_SIGNATURE_SCHEMA = securesystemslib.schema.OneOf([SIGNATURE_SCHEMA,
    GPG_SIGNATURE_SCHEMA])

# List of ANY_SIGNATURE_SCHEMA.
SIGNATURES_SCHEMA = SCHEMA.ListOf(ANY_SIGNATURE_SCHEMA)

# A signable object.  Holds the signing role and its associated signatures.
SIGNABLE_SCHEMA = SCHEMA.Object(
  object_name = 'SIGNABLE_SCHEMA',
  signed = SCHEMA.Any(),
  signatures = SIGNATURES_SCHEMA)

# Note: Verification keys can have private portions but in case of GPG we
# only have a PUBKEY_SCHEMA (because we never export private gpg keys from
# the gpg keyring)
ANY_VERIFICATION_KEY_SCHEMA = SCHEMA.OneOf([ANYKEY_SCHEMA,
    GPG_PUBKEY_SCHEMA])