def test_generate_and_write_ed25519_keypair(self):
# Test normal case.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
test_keypath = os.path.join(temporary_directory, 'ed25519_key')
repo_lib.generate_and_write_ed25519_keypair(test_keypath,
password='******')
self.assertTrue(os.path.exists(test_keypath))
self.assertTrue(os.path.exists(test_keypath + '.pub'))
# Ensure the generated key files are importable.
imported_pubkey = \
repo_lib.import_ed25519_publickey_from_file(test_keypath + '.pub')
self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_pubkey))
imported_privkey = \
repo_lib.import_ed25519_privatekey_from_file(test_keypath, 'pw')
self.assertTrue(
tuf.formats.ED25519KEY_SCHEMA.matches(imported_privkey))
# Test improperly formatted arguments.
self.assertRaises(tuf.FormatError,
repo_lib.generate_and_write_ed25519_keypair,
3,
password='******')
self.assertRaises(tuf.FormatError,
repo_lib.generate_and_write_rsa_keypair,
test_keypath,
password=3)
def test_import_ed25519_privatekey_from_file(self):
# Test normal case.
# Generate ed25519 keys that can be imported.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key')
securesystemslib.interface.generate_and_write_ed25519_keypair(
ed25519_keypath, password='******')
imported_ed25519_key = \
repo_lib.import_ed25519_privatekey_from_file(ed25519_keypath, 'pw')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key))
# Test improperly formatted argument.
self.assertRaises(securesystemslib.exceptions.FormatError,
repo_lib.import_ed25519_privatekey_from_file, 3, 'pw')
# Test invalid argument.
# Non-existent key file.
nonexistent_keypath = os.path.join(temporary_directory,
'nonexistent_keypath')
self.assertRaises(securesystemslib.exceptions.StorageError,
repo_lib.import_ed25519_privatekey_from_file,
nonexistent_keypath, 'pw')
# Invalid key file argument.
invalid_keyfile = os.path.join(temporary_directory, 'invalid_keyfile')
with open(invalid_keyfile, 'wb') as file_object:
file_object.write(b'bad keyfile')
self.assertRaises(securesystemslib.exceptions.Error,
repo_lib.import_ed25519_privatekey_from_file, invalid_keyfile, 'pw')
# Invalid private key imported (contains unexpected keytype.)
imported_ed25519_key['keytype'] = 'invalid_keytype'
# Use 'rsa_keys.py' to bypass the key format validation performed by
# 'keys.py'.
salt, iterations, derived_key = \
securesystemslib.rsa_keys._generate_derived_key('pw')
# Store the derived key info in a dictionary, the object expected
# by the non-public _encrypt() routine.
derived_key_information = {'salt': salt, 'iterations': iterations,
'derived_key': derived_key}
# Convert the key object to json string format and encrypt it with the
# derived key.
encrypted_key = securesystemslib.rsa_keys._encrypt(
json.dumps(imported_ed25519_key), derived_key_information)
with open(ed25519_keypath, 'wb') as file_object:
file_object.write(encrypted_key.encode('utf-8'))
self.assertRaises(securesystemslib.exceptions.FormatError,
repo_lib.import_ed25519_privatekey_from_file, ed25519_keypath, 'pw')
def test_sign_metadata(self):
# Test normal case.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
metadata_path = os.path.join('repository_data', 'repository',
'metadata')
keystore_path = os.path.join('repository_data', 'keystore')
root_filename = os.path.join(metadata_path, 'root.json')
root_metadata = tuf.util.load_json_file(root_filename)['signed']
tuf.keydb.create_keydb_from_root_metadata(root_metadata)
tuf.roledb.create_roledb_from_root_metadata(root_metadata)
root_keyids = tuf.roledb.get_role_keyids('root')
root_private_keypath = os.path.join(keystore_path, 'root_key')
root_private_key = \
repo_lib.import_rsa_privatekey_from_file(root_private_keypath, 'password')
# Sign with a valid, but not a threshold, key.
targets_private_keypath = os.path.join(keystore_path, 'targets_key')
targets_private_key = \
repo_lib.import_ed25519_privatekey_from_file(targets_private_keypath,
'password')
# sign_metadata() expects the private key 'root_metadata' to be in
# 'tuf.keydb'. Remove any public keys that may be loaded before
# adding private key, otherwise a 'tuf.KeyAlreadyExists' exception is
# raised.
tuf.keydb.remove_key(root_private_key['keyid'])
tuf.keydb.add_key(root_private_key)
tuf.keydb.remove_key(targets_private_key['keyid'])
tuf.keydb.add_key(targets_private_key)
root_keyids.extend(tuf.roledb.get_role_keyids('targets'))
# Add the snapshot's public key (to test whether non-private keys are
# ignored by sign_metadata()).
root_keyids.extend(tuf.roledb.get_role_keyids('snapshot'))
root_signable = repo_lib.sign_metadata(root_metadata, root_keyids,
root_filename)
self.assertTrue(tuf.formats.SIGNABLE_SCHEMA.matches(root_signable))
# Test improperly formatted arguments.
self.assertRaises(tuf.FormatError, repo_lib.sign_metadata, 3,
root_keyids, 'root.json')
self.assertRaises(tuf.FormatError, repo_lib.sign_metadata,
root_metadata, 3, 'root.json')
self.assertRaises(tuf.FormatError, repo_lib.sign_metadata,
root_metadata, root_keyids, 3)
def test_import_ed25519_privatekey_from_file(self):
# Test normal case.
# Generate ed25519 keys that can be imported.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
ed25519_keypath = os.path.join(temporary_directory, "ed25519_key")
repo_lib.generate_and_write_ed25519_keypair(ed25519_keypath, password="******")
imported_ed25519_key = repo_lib.import_ed25519_privatekey_from_file(ed25519_keypath, "pw")
self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key))
# Test improperly formatted argument.
self.assertRaises(tuf.FormatError, repo_lib.import_ed25519_privatekey_from_file, 3, "pw")
# Test invalid argument.
# Non-existent key file.
nonexistent_keypath = os.path.join(temporary_directory, "nonexistent_keypath")
self.assertRaises(IOError, repo_lib.import_ed25519_privatekey_from_file, nonexistent_keypath, "pw")
# Invalid key file argument.
invalid_keyfile = os.path.join(temporary_directory, "invalid_keyfile")
with open(invalid_keyfile, "wb") as file_object:
file_object.write(b"bad keyfile")
self.assertRaises(tuf.Error, repo_lib.import_ed25519_privatekey_from_file, invalid_keyfile, "pw")
# Invalid private key imported (contains unexpected keytype.)
imported_ed25519_key["keytype"] = "invalid_keytype"
# Use 'pycrypto_keys.py' to bypass the key format validation performed by
# 'keys.py'.
salt, iterations, derived_key = tuf.pycrypto_keys._generate_derived_key("pw")
# Store the derived key info in a dictionary, the object expected
# by the non-public _encrypt() routine.
derived_key_information = {"salt": salt, "iterations": iterations, "derived_key": derived_key}
# Convert the key object to json string format and encrypt it with the
# derived key.
encrypted_key = tuf.pycrypto_keys._encrypt(json.dumps(imported_ed25519_key), derived_key_information)
with open(ed25519_keypath, "wb") as file_object:
file_object.write(encrypted_key.encode("utf-8"))
self.assertRaises(tuf.FormatError, repo_lib.import_ed25519_privatekey_from_file, ed25519_keypath, "pw")
def test_generate_and_write_ed25519_keypair(self):
# Test normal case.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
test_keypath = os.path.join(temporary_directory, "ed25519_key")
repo_lib.generate_and_write_ed25519_keypair(test_keypath, password="******")
self.assertTrue(os.path.exists(test_keypath))
self.assertTrue(os.path.exists(test_keypath + ".pub"))
# Ensure the generated key files are importable.
imported_pubkey = repo_lib.import_ed25519_publickey_from_file(test_keypath + ".pub")
self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_pubkey))
imported_privkey = repo_lib.import_ed25519_privatekey_from_file(test_keypath, "pw")
self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_privkey))
# Test improperly formatted arguments.
self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_ed25519_keypair, 3, password="******")
self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_rsa_keypair, test_keypath, password=3)
def import_ed25519_privatekey_from_file(filepath, password): return repo_lib.import_ed25519_privatekey_from_file(filepath, password)
