def setUpClass(cls):
cls.rsakey_dict = KEYS.generate_rsa_key()
cls.ed25519key_dict = KEYS.generate_ed25519_key()
cls.ecdsakey_dict = KEYS.generate_ecdsa_key()
cls.DATA_STR = "SOME DATA REQUIRING AUTHENTICITY."
cls.DATA = securesystemslib.formats.encode_canonical(
cls.DATA_STR).encode("utf-8")
def test_key_class(self) -> None:
# Test if from_securesystemslib_key removes the private key from keyval
# of a securesystemslib key dictionary.
sslib_key = generate_ed25519_key()
key = Key.from_securesystemslib_key(sslib_key)
self.assertFalse("private" in key.keyval.keys())
# Test raising ValueError with non-existent keytype
sslib_key["keytype"] = "bad keytype"
with self.assertRaises(ValueError):
Key.from_securesystemslib_key(sslib_key)
return _bin_name(low, high)
# Keys
# ----
# Given that the primary concern of hash bin delegation is to reduce network
# overhead, it is acceptable to re-use one signing key for all delegated
# targets roles (bin-n). However, we do use a different key for the delegating
# targets role (bins). Considering the high responsibility but also low
# volatility of the bins role, it is recommended to require signature
# thresholds and keep the keys offline in a real-world scenario.
# NOTE: See "Targets delegation" and "Signature thresholds" paragraphs in
# 'basic_repo.py' for more details
for name in ["bin-n", "bins"]:
keys[name] = generate_ed25519_key()
# Targets roles
# -------------
# NOTE: See "Targets" and "Targets delegation" paragraphs in 'basic_repo.py'
# example for more details about the Targets object.
# Create preliminary delegating targets role (bins) and add public key for
# delegated targets (bin_n) to key store. Delegation details are update below.
roles["bins"] = Metadata(Targets(expires=_in(365)))
bin_n_key = Key.from_securesystemslib_key(keys["bin-n"])
roles["bins"].signed.delegations = Delegations(
keys={bin_n_key.keyid: bin_n_key},
roles={},
)
def test_key_class(self):
# Test if from_securesystemslib_key removes the private key from keyval
# of a securesystemslib key dictionary.
sslib_key = generate_ed25519_key()
key = Key.from_securesystemslib_key(sslib_key)
self.assertFalse('private' in key.keyval.keys())
def create_key() -> Tuple[Key, SSlibSigner]:
sslib_key = generate_ed25519_key()
return Key.from_securesystemslib_key(sslib_key), SSlibSigner(sslib_key)
def _generate_and_write_ed25519_keypair(filepath=None,
password=None,
prompt=False):
"""Generates ed25519 key pair and writes custom JSON-formatted keys to disk.
If a password is passed or entered on the prompt, the private key is
encrypted using AES-256 in CTR mode, with the password strengthened in
PBKDF2-HMAC-SHA256.
NOTE: The custom key format includes 'ed25519' as signing scheme.
Arguments:
filepath (optional): The path to write the private key to. If not passed,
the key is written to CWD using the keyid as filename. The public key
is written to the same path as the private key using the suffix '.pub'.
password (optional): An encryption password.
prompt (optional): A boolean indicating if the user should be prompted
for an encryption password. If the user enters an empty password, the
key is not encrypted.
Raises:
UnsupportedLibraryError: pyca/pynacl or pyca/cryptography is not available.
FormatError: Arguments are malformed.
ValueError: An empty string is passed as 'password', or both a 'password'
is passed and 'prompt' is true.
StorageError: Key files cannot be written.
Side Effects:
Prompts user for a password if 'prompt' is True.
Writes key files to disk.
Returns:
The private key filepath.
"""
ed25519_key = keys.generate_ed25519_key()
# Use passed 'filepath' or keyid as file name
if not filepath:
filepath = os.path.join(os.getcwd(), ed25519_key['keyid'])
formats.PATH_SCHEMA.check_match(filepath)
password = _get_key_file_encryption_password(password, prompt, filepath)
# Create intermediate directories as required
util.ensure_parent_dir(filepath)
# Use custom JSON format for ed25519 keys on-disk
keytype = ed25519_key['keytype']
keyval = ed25519_key['keyval']
scheme = ed25519_key['scheme']
ed25519key_metadata_format = keys.format_keyval_to_metadata(keytype,
scheme,
keyval,
private=False)
# Write public key to <filepath>.pub
file_object = tempfile.TemporaryFile()
file_object.write(json.dumps(ed25519key_metadata_format).encode('utf-8'))
util.persist_temp_file(file_object, filepath + '.pub')
# Encrypt private key if we have a password, store as JSON string otherwise
if password is not None:
ed25519_key = keys.encrypt_key(ed25519_key, password)
else:
ed25519_key = json.dumps(ed25519_key)
# Write private key to <filepath>
file_object = tempfile.TemporaryFile()
file_object.write(ed25519_key.encode('utf-8'))
util.persist_temp_file(file_object, filepath)
return filepath
# field). This is called top-level delegation.
#
# In addition, root provides all public keys to verify these signatures (see
# 'keys' field), and a configuration parameter that describes whether a
# repository uses consistent snapshots (see section 'Persist metadata' below
# for more details).
# Create root metadata object
roles["root"] = Metadata(Root(expires=_in(365)))
# For this example, we generate one 'ed25519' key pair for each top-level role
# using python-tuf's in-house crypto library.
# See https://github.com/secure-systems-lab/securesystemslib for more details
# about key handling, and don't forget to password-encrypt your private keys!
for name in ["targets", "snapshot", "timestamp", "root"]:
keys[name] = generate_ed25519_key()
roles["root"].signed.add_key(Key.from_securesystemslib_key(keys[name]),
name)
# NOTE: We only need the public part to populate root, so it is possible to use
# out-of-band mechanisms to generate key pairs and only expose the public part
# to whoever maintains the root role. As a matter of fact, the very purpose of
# signature thresholds is to avoid having private keys all in one place.
# Signature thresholds
# --------------------
# Given the importance of the root role, it is highly recommended to require a
# threshold of multiple keys to sign root metadata. For this example we
# generate another root key (you can pretend it's out-of-band) and increase the
# required signature threshold.
another_root_key = generate_ed25519_key()