def _verify_metadata(metadata, args): """ <Purpose> Internal method to verify link or layout signatures. <Arguments> metadata: Metablock object (contains Link or Layout object) args: see argparser <Exceptions> SystemExit(0) if verification passes SystemExit(1) if verification fails SystemExit(2) if any exception occurs """ try: pub_key_dict = util.import_rsa_public_keys_from_files_as_dict(args.key) metadata.verify_signatures(pub_key_dict) log.pass_verification("Signature verification passed") sys.exit(0) except exceptions.SignatureVerificationError as e: log.fail_verification("Signature verification failed: {}".format(e)) sys.exit(1) except Exception as e: log.error("The following error occurred while verifying signatures: " "{}".format(e)) sys.exit(2)
def main(): args = parse_arguments() # configure our instance of the grafeas api swagger_client.configuration.host = args.target api_instance = swagger_client.GrafeasApi() try: pubkey = util.import_rsa_public_keys_from_files_as_dict([args.key]) layout = fetch_layout(args.project_id, api_instance) except Exception as e: print("Exception when fetching the in-toto layout\n{}: {}".format( type(e).__name__, e)) sys.exit(1) # fetch the link metadata for every step for step in layout.signed.steps: for keyid in step.pubkeys: try: fetch_occurrence(args.project_id, step.name, keyid, api_instance) except ApiException as e: raise e pass try: verifylib.in_toto_verify(layout, pubkey) except Exception as e: print("Exception when verifying the supply chain\n{}: {}".format( type(e).__name__, e)) sys.exit(1)
def test_verify_failing_inspection_exits_non_zero(self): """Test fail verification with inspection returning non-zero. """ layout = Metablock.load(self.layout_failing_inspection_retval) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path]) with self.assertRaises(BadReturnValueError): in_toto_verify(layout, layout_key_dict)
def test_verify_failing_inspection_rules(self): """Test fail verification with failing inspection artifact rule. """ layout = Metablock.load(self.layout_failing_inspection_rule_path) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path]) with self.assertRaises(RuleVerficationError): in_toto_verify(layout, layout_key_dict)
def test_verify_failing_layout_expired(self): """Test fail verification with expired layout. """ layout = Metablock.load(self.layout_expired_path) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path, self.bob_path]) with self.assertRaises(LayoutExpiredError): in_toto_verify(layout, layout_key_dict)
def test_verify_failing_missing_key(self): """Test fail verification with missing layout key. """ layout = Metablock.load(self.layout_double_signed_path) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.bob_path]) with self.assertRaises(SignatureVerificationError): in_toto_verify(layout, layout_key_dict)
def test_verify_failing_bad_signature(self): """Test fail verification with bad layout signature. """ layout = Metablock.load(self.layout_bad_sig) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path]) with self.assertRaises(SignatureVerificationError): in_toto_verify(layout, layout_key_dict)
def test_verify_failing_link_metadata_files(self): """Test fail verification with link metadata files not found. """ os.rename("package.2f89b927.link", "package.link.bak") layout = Metablock.load(self.layout_single_signed_path) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path]) with self.assertRaises(in_toto.exceptions.LinkNotFoundError): in_toto_verify(layout, layout_key_dict) os.rename("package.link.bak", "package.2f89b927.link")
def test_import_rsa_public_keys_from_files_as_dict(self): """Create and import multiple rsa public keys and return KEYDICT. """ name1 = "key4" name2 = "key5" generate_and_write_rsa_keypair(name1) generate_and_write_rsa_keypair(name2) # Succefully import public keys as keydictionary key_dict = import_rsa_public_keys_from_files_as_dict([name1 + ".pub", name2 + ".pub"]) securesystemslib.formats.KEYDICT_SCHEMA.check_match(key_dict) # Import wrongly formatted key raises an exception not_an_rsa = "not_an_rsa" open(not_an_rsa, "w").write(not_an_rsa) with self.assertRaises(securesystemslib.exceptions.FormatError): import_rsa_public_keys_from_files_as_dict([name1 + ".pub", not_an_rsa]) # Import private key raises an exception with self.assertRaises(securesystemslib.exceptions.FormatError): import_rsa_public_keys_from_files_as_dict([name1, name2])
def _verify_metadata(metadata, args): """ <Purpose> Internal method to verify link or layout signatures. <Arguments> metadata: Metablock object (contains Link or Layout object) args: see argparser <Exceptions> SystemExit(0) if verification passes SystemExit(1) if verification fails SystemExit(2) if any exception occurs """ try: # Load pubkeys from disk .... if args.key != None: pub_key_dict = util.import_rsa_public_keys_from_files_as_dict( args.key) # ... or from gpg keyring elif args.gpg != None: # pragma: no branch pub_key_dict = util.import_gpg_public_keys_from_keyring_as_dict( args.gpg, args.gpg_home) for keyid, verification_key in six.iteritems(pub_key_dict): metadata.verify_signature(verification_key) log.info( "Signature verification passed for keyid '{}'".format(keyid)) sys.exit(0) except exceptions.SignatureVerificationError as e: log.error("Signature verification failed: {}".format(e)) sys.exit(1) except Exception as e: log.error("The following error occurred while verifying signatures: " "{}".format(e)) sys.exit(2)
def test_verify_passing_double_signed_layout(self): """Test pass verification of double-signed layout. """ layout = Metablock.load(self.layout_double_signed_path) layout_key_dict = import_rsa_public_keys_from_files_as_dict( [self.alice_path, self.bob_path]) in_toto_verify(layout, layout_key_dict)