def build(self, root_pub_path, targets_pub_path, timestamp_pub_path):
"""
Create a new repo
:param root_pub_path: path where the public root key lives
:type root_pub_path: str
:param targets_pub_path: path where the public targets key lives
:type targets_pub_path: str
:param timestamp_pub_path: path where the public timestamp key lives
:type timestamp_pub_path: str
"""
repository = create_new_repository(self._repo_path)
pub_root_key = import_rsa_publickey_from_file(root_pub_path)
repository.root.add_verification_key(pub_root_key)
repository.root.load_signing_key(self._key)
pub_target_key = import_rsa_publickey_from_file(targets_pub_path)
repository.targets.add_verification_key(pub_target_key)
repository.snapshot.add_verification_key(pub_target_key)
repository.targets.compressions = ["gz"]
repository.snapshot.compressions = ["gz"]
pub_timestamp_key = import_rsa_publickey_from_file(timestamp_pub_path)
repository.timestamp.add_verification_key(pub_timestamp_key)
repository.write_partial()
def build(self, root_pub_path, targets_pub_path, timestamp_pub_path):
"""
Create or update the repo
:param root_pub_path: path where the public root key lives
:type root_pub_path: str
:param targets_pub_path: path where the public targets key lives
:type targets_pub_path: str
:param timestamp_pub_path: path where the public timestamp key lives
:type timestamp_pub_path: str
"""
if exists(self._repo_path) and listdir(self._repo_path) != []:
repository = load_repository(self._repo_path)
else:
repository = create_new_repository(self._repo_path)
pub_root_key = import_rsa_publickey_from_file(root_pub_path)
repository.root.add_verification_key(pub_root_key)
repository.root.load_signing_key(self._key)
repository.root.expiration = (datetime.datetime.now() +
datetime.timedelta(days=EXPIRATION_DAYS))
pub_target_key = import_rsa_publickey_from_file(targets_pub_path)
repository.targets.add_verification_key(pub_target_key)
repository.snapshot.add_verification_key(pub_target_key)
repository.targets.compressions = ["gz"]
repository.snapshot.compressions = ["gz"]
pub_timestamp_key = import_rsa_publickey_from_file(timestamp_pub_path)
repository.timestamp.add_verification_key(pub_timestamp_key)
try:
repository.write_partial()
except:
pass
def _add_metadata(self,
repository,
root_key_password=None,
targets_key_password=None,
snapshot_key_password=None,
timestamp_key_password=None):
from tuf.repository_tool import import_rsa_publickey_from_file, \
import_rsa_privatekey_from_file
# Add root key to repository
public_root_key = import_rsa_publickey_from_file(
self._root_key_file + '.pub')
if root_key_password is None:
print('importing root key...')
private_root_key = import_rsa_privatekey_from_file(
self._root_key_file,
root_key_password)
repository.root.add_verification_key(public_root_key)
repository.root.load_signing_key(private_root_key)
repository.root.expiration = datetime.utcnow() + self._root_lifetime
# Add targets key to repository
public_targets_key = import_rsa_publickey_from_file(
self._targets_key_file + '.pub')
if targets_key_password is None:
print('importing targets key...')
private_targets_key = import_rsa_privatekey_from_file(
self._targets_key_file,
targets_key_password)
repository.targets.add_verification_key(public_targets_key)
repository.targets.load_signing_key(private_targets_key)
# Add snapshot key to repository
public_snapshot_key = import_rsa_publickey_from_file(
self._snapshot_key_file + '.pub')
if snapshot_key_password is None:
print('importing snapshot key...')
private_snapshot_key = import_rsa_privatekey_from_file(
self._snapshot_key_file,
snapshot_key_password)
repository.snapshot.add_verification_key(public_snapshot_key)
repository.snapshot.load_signing_key(private_snapshot_key)
# Add timestamp key to repository
public_timestamp_key = import_rsa_publickey_from_file(
self._timestamp_key_file + '.pub')
if timestamp_key_password is None:
print('importing timestamp key...')
private_timestamp_key = import_rsa_privatekey_from_file(
self._timestamp_key_file,
timestamp_key_password)
repository.timestamp.add_verification_key(public_timestamp_key)
repository.timestamp.load_signing_key(private_timestamp_key)
# Write out metadata
repository.writeall(consistent_snapshot=True)
def _add_metadata(self,
repository,
root_key_password=None,
targets_key_password=None,
snapshot_key_password=None,
timestamp_key_password=None):
from tuf.repository_tool import import_rsa_publickey_from_file, \
import_rsa_privatekey_from_file
# Add root key to repository
public_root_key = import_rsa_publickey_from_file(
self._root_key_file + '.pub')
if root_key_password is None:
print('importing root key...')
private_root_key = import_rsa_privatekey_from_file(
self._root_key_file,
root_key_password)
repository.root.add_verification_key(public_root_key)
repository.root.load_signing_key(private_root_key)
repository.root.expiration = datetime.now() + self._root_lifetime
# Add targets key to repository
public_targets_key = import_rsa_publickey_from_file(
self._targets_key_file + '.pub')
if targets_key_password is None:
print('importing targets key...')
private_targets_key = import_rsa_privatekey_from_file(
self._targets_key_file,
targets_key_password)
repository.targets.add_verification_key(public_targets_key)
repository.targets.load_signing_key(private_targets_key)
# Add snapshot key to repository
public_snapshot_key = import_rsa_publickey_from_file(
self._snapshot_key_file + '.pub')
if snapshot_key_password is None:
print('importing snapshot key...')
private_snapshot_key = import_rsa_privatekey_from_file(
self._snapshot_key_file,
snapshot_key_password)
repository.snapshot.add_verification_key(public_snapshot_key)
repository.snapshot.load_signing_key(private_snapshot_key)
# Add timestamp key to repository
public_timestamp_key = import_rsa_publickey_from_file(
self._timestamp_key_file + '.pub')
if timestamp_key_password is None:
print('importing timestamp key...')
private_timestamp_key = import_rsa_privatekey_from_file(
self._timestamp_key_file,
timestamp_key_password)
repository.timestamp.add_verification_key(public_timestamp_key)
repository.timestamp.load_signing_key(private_timestamp_key)
# Write out metadata
repository.write(consistent_snapshot=True)
def _load_role_keys(keystore_directory):
# Populating 'self.role_keys' by importing the required public and private
# keys of 'tuf/tests/repository_data/'. The role keys are needed when
# modifying the remote repository used by the test cases in this unit test.
# The pre-generated key files in 'repository_data/keystore' are all encrypted with
# a 'password' passphrase.
EXPECTED_KEYFILE_PASSWORD = '******'
# Store and return the cryptography keys of the top-level roles, including 1
# delegated role.
role_keys = {}
root_key_file = os.path.join(keystore_directory, 'root_key')
targets_key_file = os.path.join(keystore_directory, 'targets_key')
snapshot_key_file = os.path.join(keystore_directory, 'snapshot_key')
timestamp_key_file = os.path.join(keystore_directory, 'timestamp_key')
delegation_key_file = os.path.join(keystore_directory, 'delegation_key')
role_keys = {
'root': {},
'targets': {},
'snapshot': {},
'timestamp': {},
'role1': {}
}
# Import the top-level and delegated role public keys.
role_keys['root']['public'] = \
repo_tool.import_rsa_publickey_from_file(root_key_file+'.pub')
role_keys['targets']['public'] = \
repo_tool.import_ed25519_publickey_from_file(targets_key_file + '.pub')
role_keys['snapshot']['public'] = \
repo_tool.import_ed25519_publickey_from_file(snapshot_key_file + '.pub')
role_keys['timestamp']['public'] = \
repo_tool.import_ed25519_publickey_from_file(timestamp_key_file + '.pub')
role_keys['role1']['public'] = \
repo_tool.import_ed25519_publickey_from_file(delegation_key_file + '.pub')
# Import the private keys of the top-level and delegated roles.
role_keys['root']['private'] = \
repo_tool.import_rsa_privatekey_from_file(root_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['targets']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(targets_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['snapshot']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['timestamp']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['role1']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(delegation_key_file,
EXPECTED_KEYFILE_PASSWORD)
return role_keys
def test_root_role_versioning(self):
# Test root role versioning
#
# 1. Import public and private keys.
# 2. Add verification keys.
# 3. Load signing keys.
# 4. Add target files.
# 5. Perform delegation.
# 6. writeall()
#
# Copy the target files from 'tuf/tests/repository_data' so that writeall()
# has target fileinfo to include in metadata.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
targets_directory = os.path.join(temporary_directory, 'repository',
repo_tool.TARGETS_DIRECTORY_NAME)
original_targets_directory = os.path.join('repository_data',
'repository', 'targets')
shutil.copytree(original_targets_directory, targets_directory)
# In this case, create_new_repository() creates the 'repository/'
# sub-directory in 'temporary_directory' if it does not exist.
repository_directory = os.path.join(temporary_directory, 'repository')
metadata_directory = os.path.join(repository_directory,
repo_tool.METADATA_STAGED_DIRECTORY_NAME)
repository = repo_tool.create_new_repository(repository_directory)
# (1) Load the public and private keys of the top-level roles, and one
# delegated role.
keystore_directory = os.path.join('repository_data', 'keystore')
# Load the public keys.
root_pubkey_path = os.path.join(keystore_directory, 'root_key.pub')
targets_pubkey_path = os.path.join(keystore_directory, 'targets_key.pub')
snapshot_pubkey_path = os.path.join(keystore_directory, 'snapshot_key.pub')
timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub')
role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub')
root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path)
targets_pubkey = repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path)
snapshot_pubkey = \
repo_tool.import_ed25519_publickey_from_file(snapshot_pubkey_path)
timestamp_pubkey = \
repo_tool.import_ed25519_publickey_from_file(timestamp_pubkey_path)
role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path)
# Load the private keys.
root_privkey_path = os.path.join(keystore_directory, 'root_key')
targets_privkey_path = os.path.join(keystore_directory, 'targets_key')
snapshot_privkey_path = os.path.join(keystore_directory, 'snapshot_key')
timestamp_privkey_path = os.path.join(keystore_directory, 'timestamp_key')
role1_privkey_path = os.path.join(keystore_directory, 'delegation_key')
root_privkey = \
repo_tool.import_rsa_privatekey_from_file(root_privkey_path, 'password')
targets_privkey = \
repo_tool.import_ed25519_privatekey_from_file(targets_privkey_path, 'password')
snapshot_privkey = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_privkey_path,
'password')
timestamp_privkey = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_privkey_path,
'password')
role1_privkey = \
repo_tool.import_ed25519_privatekey_from_file(role1_privkey_path,
'password')
# (2) Add top-level verification keys.
repository.root.add_verification_key(root_pubkey)
repository.targets.add_verification_key(targets_pubkey)
repository.snapshot.add_verification_key(snapshot_pubkey)
repository.timestamp.add_verification_key(timestamp_pubkey)
# (3) Load top-level signing keys.
repository.root.load_signing_key(root_privkey)
repository.targets.load_signing_key(targets_privkey)
repository.snapshot.load_signing_key(snapshot_privkey)
repository.timestamp.load_signing_key(timestamp_privkey)
# (4) Add target files.
target1 = 'file1.txt'
target2 = 'file2.txt'
target3 = 'file3.txt'
repository.targets.add_target(target1)
repository.targets.add_target(target2)
# (5) Perform delegation.
repository.targets.delegate('role1', [role1_pubkey], [target3])
repository.targets('role1').load_signing_key(role1_privkey)
# (6) Write repository.
repository.writeall()
self.assertTrue(os.path.exists(os.path.join(metadata_directory, 'root.json')))
self.assertTrue(os.path.exists(os.path.join(metadata_directory, '1.root.json')))
# Verify that the expected metadata is written.
root_filepath = os.path.join(metadata_directory, 'root.json')
root_1_filepath = os.path.join(metadata_directory, '1.root.json')
root_2_filepath = os.path.join(metadata_directory, '2.root.json')
old_root_signable = securesystemslib.util.load_json_file(root_filepath)
root_1_signable = securesystemslib.util.load_json_file(root_1_filepath)
# Make a change to the root keys
repository.root.add_verification_key(targets_pubkey)
repository.root.load_signing_key(targets_privkey)
repository.root.threshold = 2
repository.writeall()
new_root_signable = securesystemslib.util.load_json_file(root_filepath)
root_2_signable = securesystemslib.util.load_json_file(root_2_filepath)
for role_signable in [old_root_signable, new_root_signable, root_1_signable, root_2_signable]:
# Raise 'securesystemslib.exceptions.FormatError' if 'role_signable' is an
# invalid signable.
tuf.formats.check_signable_object_format(role_signable)
# Verify contents of versioned roots
self.assertEqual(old_root_signable, root_1_signable)
self.assertEqual(new_root_signable, root_2_signable)
self.assertEqual(root_1_signable['signed']['version'], 1)
self.assertEqual(root_2_signable['signed']['version'], 2)
repository.root.remove_verification_key(root_pubkey)
repository.root.unload_signing_key(root_privkey)
repository.root.threshold = 2
# Errors, not enough signing keys to satisfy old threshold
self.assertRaises(tuf.exceptions.UnsignedMetadataError, repository.writeall)
# No error, write() ignore's root's threshold and allows it to be written
# to disk partially signed.
repository.write('root')
