def ready(self):
import director.director as director
if not os.path.exists(settings.DIRECTOR_REPO):
os.makedirs(settings.DIRECTOR_REPO)
keys_pri = {}
keys_pub = {}
for role in ['root', 'timestamp', 'snapshot']:
keys_pri[role] = rt.import_ed25519_privatekey_from_file(
os.path.join(settings.KEY_PATH, 'director' + role),
password='******')
keys_pub[role] = rt.import_ed25519_publickey_from_file(
os.path.join(settings.KEY_PATH, 'director' + role + '.pub'))
# Because the demo's Director targets key is not named correctly....
# TODO: Remove this and add 'targets' back to the role list above when
# the key is correctly renamed.
keys_pri['targets'] = rt.import_ed25519_privatekey_from_file(
os.path.join(settings.KEY_PATH, 'director'), password='******')
keys_pub['targets'] = rt.import_ed25519_publickey_from_file(
os.path.join(settings.KEY_PATH, 'director.pub'))
settings.DIRECTOR = director.Director(
settings.DIRECTOR_REPO, keys_pri['root'], keys_pub['root'],
keys_pri['timestamp'], keys_pub['timestamp'], keys_pri['snapshot'],
keys_pub['snapshot'], keys_pri['targets'], keys_pub['targets'])
def _load_role_keys(keystore_directory):
# Populating 'self.role_keys' by importing the required public and private
# keys of 'tuf/tests/repository_data/'. The role keys are needed when
# modifying the remote repository used by the test cases in this unit test.
# The pre-generated key files in 'repository_data/keystore' are all encrypted with
# a 'password' passphrase.
EXPECTED_KEYFILE_PASSWORD = '******'
# Store and return the cryptography keys of the top-level roles, including 1
# delegated role.
role_keys = {}
root_key_file = os.path.join(keystore_directory, 'root_key')
targets_key_file = os.path.join(keystore_directory, 'targets_key')
snapshot_key_file = os.path.join(keystore_directory, 'snapshot_key')
timestamp_key_file = os.path.join(keystore_directory, 'timestamp_key')
delegation_key_file = os.path.join(keystore_directory, 'delegation_key')
role_keys = {
'root': {},
'targets': {},
'snapshot': {},
'timestamp': {},
'role1': {}
}
# Import the top-level and delegated role public keys.
role_keys['root']['public'] = \
repo_tool.import_rsa_publickey_from_file(root_key_file+'.pub')
role_keys['targets']['public'] = \
repo_tool.import_ed25519_publickey_from_file(targets_key_file + '.pub')
role_keys['snapshot']['public'] = \
repo_tool.import_ed25519_publickey_from_file(snapshot_key_file + '.pub')
role_keys['timestamp']['public'] = \
repo_tool.import_ed25519_publickey_from_file(timestamp_key_file + '.pub')
role_keys['role1']['public'] = \
repo_tool.import_ed25519_publickey_from_file(delegation_key_file + '.pub')
# Import the private keys of the top-level and delegated roles.
role_keys['root']['private'] = \
repo_tool.import_rsa_privatekey_from_file(root_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['targets']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(targets_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['snapshot']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['timestamp']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['role1']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(delegation_key_file,
EXPECTED_KEYFILE_PASSWORD)
return role_keys
def ready(self):
settings.REPO=rt.create_new_repository(settings.IMAGE_REPO)
keys_pri = {}
keys_pub = {}
for role in ['root', 'timestamp', 'snapshot']:
keys_pri[role] = rt.import_ed25519_privatekey_from_file(os.path.join(settings.KEY_PATH, 'director' + role),password='******')
keys_pub[role] = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'director' + role + '.pub'))
# Because the demo's Director targets key is not named correctly....
# TODO: Remove this and add 'targets' back to the role list above when
# the key is correctly renamed.
keys_pri['targets'] = rt.import_ed25519_privatekey_from_file(os.path.join(settings.KEY_PATH, 'director'),password='******')
keys_pub['targets'] = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'director.pub'))
settings.REPO.root.add_verification_key(keys_pub['root'])
settings.REPO.timestamp.add_verification_key(keys_pub['timestamp'])
settings.REPO.snapshot.add_verification_key(keys_pub['snapshot'])
settings.REPO.targets.add_verification_key(keys_pub['targets'])
settings.REPO.root.load_signing_key(keys_pri['root'])
settings.REPO.timestamp.load_signing_key(keys_pri['timestamp'])
settings.REPO.snapshot.load_signing_key(keys_pri['snapshot'])
settings.REPO.targets.load_signing_key(keys_pri['targets'])
repo_dir=settings.IMAGE_REPO
targets_json=os.path.join(repo_dir,'metadata','targets.json')
if os.path.exists(targets_json):
f=open(targets_json)
targets_meta=json.loads(f.read())
f.close()
targets=targets_meta['signed']['targets']
for key in targets.keys():
filepath=os.path.join(repo_dir,'targets',key[1:])
if os.path.exists(filepath):
settings.REPO.targets.add_target(filepath)
settings.REPO.mark_dirty(['timestamp', 'snapshot'])
settings.REPO.write() # will be writeall() in most recent TUF branch
# Move staged metadata (from the write above) to live metadata directory.
if os.path.exists(os.path.join(settings.IMAGE_REPO, 'metadata')):
shutil.rmtree(os.path.join(settings.IMAGE_REPO, 'metadata'))
shutil.copytree(
os.path.join(settings.IMAGE_REPO, 'metadata.staged'),
os.path.join(settings.IMAGE_REPO, 'metadata'))
def write_and_import_keypair(filename):
pathpriv = 'tufkeystore/{}_key'.format(filename)
pathpub = '{}.pub'.format(pathpriv)
rt.generate_and_write_ed25519_keypair(password='******', filepath=pathpriv)
public_key = rt.import_ed25519_publickey_from_file(pathpub)
private_key = rt.import_ed25519_privatekey_from_file(password='******', filepath=pathpriv)
return (public_key, private_key)
def loadkey(filename):
pathpriv = 'tufkeystore/{}_key'.format(filename)
pathpub = '{}.pub'.format(pathpriv)
public_key = rt.import_ed25519_publickey_from_file(pathpub)
private_key = rt.import_ed25519_privatekey_from_file(password='******',
filepath=pathpriv)
return (public_key, private_key)
def test(self):
vin = 'democar'
settings.DIRECTOR.add_new_vehicle(vin)
primary_serial = 'INFOdemocar'
secondary_serial = 'TCUdemocar'
primary_pub = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'primary.pub'))
secondary_pub = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'secondary.pub'))
settings.DIRECTOR.register_ecu_serial(primary_serial,primary_pub,vin,True)
settings.DIRECTOR.register_ecu_serial(secondary_serial,secondary_pub,vin,False)
manifest_json = {
"signatures": [{
"keyid": "9a406d99e362e7c93e7acfe1e4d6585221315be817f350c026bbee84ada260da",
"method": "ed25519",
"sig": "335272f77357dc0e9f1b74d72eb500e4ff0f443f824b83405e2b21264778d1610e0a5f2663b90eda8ab05a28b5b64fc15514020985d8a93576fe33b287e1380f"}],
"signed": {
"primary_ecu_serial": "INFOdemocar",
"vin": "democar",
"ecu_version_manifests": {
"TCUdemocar": [{
"signatures": [{
"keyid": "49309f114b857e4b29bfbff1c1c75df59f154fbc45539b2eb30c8a867843b2cb",
"method": "ed25519",
"sig": "fd04c1edb0ddf1089f0d3fc1cd460af584e548b230d9c290deabfaf29ce5636b6b897eaa97feb64147ac2214c176bbb1d0fa8bb9c623011a0e48d258eb3f9108"}],
"signed": {
"attacks_detected": "",
"ecu_serial": "TCUdemocar",
"previous_timeserver_time": "2017-05-18T16:37:46Z",
"timeserver_time": "2017-05-18T16:37:48Z",
"installed_image": {
"filepath": "/secondary_firmware.txt",
"fileinfo": {
"length": 37,
"hashes": {
"sha256": "6b9f987226610bfed08b824c93bf8b2f59521fce9a2adef80c495f363c1c9c44",
"sha512": "706c283972c5ae69864b199e1cdd9b4b8babc14f5a454d0fd4d3b35396a04ca0b40af731671b74020a738b5108a78deb032332c36d6ae9f31fae2f8a70f7e1ce"}}}}}]}}}
settings.DIRECTOR.register_vehicle_manifest('democar', 'INFOdemocar', manifest_json)
settings.DIRECTOR.register_vehicle_manifest('democar', 'TCUdemocar', manifest_json)
def import_keypair(name):
dir = path.join(os.getcwd(), 'keys')
private_path = path.join(dir, name)
public_path = private_path + '.pub'
# Load the keys into TUF.
public = rt.import_ed25519_publickey_from_file(public_path)
private = rt.import_ed25519_privatekey_from_file(private_path,
password='******')
return (public, private)
def import_public_key(keyname):
"""
Import a public key according to the demo's current default key config.
The keyname does not include '.pub'; it matches that used for the other
functions here.
Key type: ed25519
Key location: DEMO_KEYS_DIR
"""
return rt.import_ed25519_publickey_from_file(
os.path.join(DEMO_KEYS_DIR, keyname + '.pub'))
def write_and_import_keypair(self, name_dst):
# Identify the paths for the next pre-generated keypair.
pathpriv_src = os.path.join(os.path.dirname(os.path.realpath(
__file__)), 'fixture_keys', '{}_key'.format(self.next_keypair_index))
pathpub_src = '{}.pub'.format(pathpriv_src)
self.next_keypair_index += 1
print('Using key {} for {}'.format(pathpriv_src, name_dst))
# Load the keys into TUF.
public_key = rt.import_ed25519_publickey_from_file(pathpub_src)
private_key = rt.import_ed25519_privatekey_from_file(
pathpriv_src, password='******')
return (public_key, private_key)
def import_public_key(keyname):
"""
Import a public key according to the demo's current default key config.
The keyname does not include '.pub'; it matches that used for the other
functions here.
Key type: ed25519
Key location: DEMO_KEYS_DIR
"""
I_TO_PRINT = TO_PRINT + uptane.YELLOW + '[import_public_key()]: ' + uptane.ENDCOLORS
#TODO: Print to be deleted
print(
str('%s %s %s' %
(I_TO_PRINT, 'Importing public key keyname:', keyname)))
#TODO: Until here
return rt.import_ed25519_publickey_from_file(
os.path.join(DEMO_KEYS_DIR, keyname + '.pub'))
def test_root_role_versioning(self):
# Test root role versioning
#
# 1. Import public and private keys.
# 2. Add verification keys.
# 3. Load signing keys.
# 4. Add target files.
# 5. Perform delegation.
# 6. writeall()
#
# Copy the target files from 'tuf/tests/repository_data' so that writeall()
# has target fileinfo to include in metadata.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
targets_directory = os.path.join(temporary_directory, 'repository',
repo_tool.TARGETS_DIRECTORY_NAME)
original_targets_directory = os.path.join('repository_data',
'repository', 'targets')
shutil.copytree(original_targets_directory, targets_directory)
# In this case, create_new_repository() creates the 'repository/'
# sub-directory in 'temporary_directory' if it does not exist.
repository_directory = os.path.join(temporary_directory, 'repository')
metadata_directory = os.path.join(repository_directory,
repo_tool.METADATA_STAGED_DIRECTORY_NAME)
repository = repo_tool.create_new_repository(repository_directory)
# (1) Load the public and private keys of the top-level roles, and one
# delegated role.
keystore_directory = os.path.join('repository_data', 'keystore')
# Load the public keys.
root_pubkey_path = os.path.join(keystore_directory, 'root_key.pub')
targets_pubkey_path = os.path.join(keystore_directory, 'targets_key.pub')
snapshot_pubkey_path = os.path.join(keystore_directory, 'snapshot_key.pub')
timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub')
role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub')
root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path)
targets_pubkey = repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path)
snapshot_pubkey = \
repo_tool.import_ed25519_publickey_from_file(snapshot_pubkey_path)
timestamp_pubkey = \
repo_tool.import_ed25519_publickey_from_file(timestamp_pubkey_path)
role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path)
# Load the private keys.
root_privkey_path = os.path.join(keystore_directory, 'root_key')
targets_privkey_path = os.path.join(keystore_directory, 'targets_key')
snapshot_privkey_path = os.path.join(keystore_directory, 'snapshot_key')
timestamp_privkey_path = os.path.join(keystore_directory, 'timestamp_key')
role1_privkey_path = os.path.join(keystore_directory, 'delegation_key')
root_privkey = \
repo_tool.import_rsa_privatekey_from_file(root_privkey_path, 'password')
targets_privkey = \
repo_tool.import_ed25519_privatekey_from_file(targets_privkey_path, 'password')
snapshot_privkey = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_privkey_path,
'password')
timestamp_privkey = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_privkey_path,
'password')
role1_privkey = \
repo_tool.import_ed25519_privatekey_from_file(role1_privkey_path,
'password')
# (2) Add top-level verification keys.
repository.root.add_verification_key(root_pubkey)
repository.targets.add_verification_key(targets_pubkey)
repository.snapshot.add_verification_key(snapshot_pubkey)
repository.timestamp.add_verification_key(timestamp_pubkey)
# (3) Load top-level signing keys.
repository.root.load_signing_key(root_privkey)
repository.targets.load_signing_key(targets_privkey)
repository.snapshot.load_signing_key(snapshot_privkey)
repository.timestamp.load_signing_key(timestamp_privkey)
# (4) Add target files.
target1 = 'file1.txt'
target2 = 'file2.txt'
target3 = 'file3.txt'
repository.targets.add_target(target1)
repository.targets.add_target(target2)
# (5) Perform delegation.
repository.targets.delegate('role1', [role1_pubkey], [target3])
repository.targets('role1').load_signing_key(role1_privkey)
# (6) Write repository.
repository.writeall()
self.assertTrue(os.path.exists(os.path.join(metadata_directory, 'root.json')))
self.assertTrue(os.path.exists(os.path.join(metadata_directory, '1.root.json')))
# Verify that the expected metadata is written.
root_filepath = os.path.join(metadata_directory, 'root.json')
root_1_filepath = os.path.join(metadata_directory, '1.root.json')
root_2_filepath = os.path.join(metadata_directory, '2.root.json')
old_root_signable = securesystemslib.util.load_json_file(root_filepath)
root_1_signable = securesystemslib.util.load_json_file(root_1_filepath)
# Make a change to the root keys
repository.root.add_verification_key(targets_pubkey)
repository.root.load_signing_key(targets_privkey)
repository.root.threshold = 2
repository.writeall()
new_root_signable = securesystemslib.util.load_json_file(root_filepath)
root_2_signable = securesystemslib.util.load_json_file(root_2_filepath)
for role_signable in [old_root_signable, new_root_signable, root_1_signable, root_2_signable]:
# Raise 'securesystemslib.exceptions.FormatError' if 'role_signable' is an
# invalid signable.
tuf.formats.check_signable_object_format(role_signable)
# Verify contents of versioned roots
self.assertEqual(old_root_signable, root_1_signable)
self.assertEqual(new_root_signable, root_2_signable)
self.assertEqual(root_1_signable['signed']['version'], 1)
self.assertEqual(root_2_signable['signed']['version'], 2)
repository.root.remove_verification_key(root_pubkey)
repository.root.unload_signing_key(root_privkey)
repository.root.threshold = 2
# Errors, not enough signing keys to satisfy old threshold
self.assertRaises(tuf.exceptions.UnsignedMetadataError, repository.writeall)
# No error, write() ignore's root's threshold and allows it to be written
# to disk partially signed.
repository.write('root')
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))
signature = Signature()
signature['keyid'] = rootPublicKey['publicKeyid']
signature['method'] = int(SignatureMethod('ed25519'))
hash = Hash().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))
hash['function'] = int(HashFunction('sha256'))
digest = BinaryData().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))
hexString = hashlib.sha256(encoder.encode(signed)).hexdigest()
digest['hexString'] = hexString
hash['digest'] = digest
signature['hash'] = hash
import tuf.repository_tool as rt
key_root_pub = rt.import_ed25519_publickey_from_file('mainroot.pub')
key_root_pri = rt.import_ed25519_privatekey_from_file('mainroot',
password='******')
import tuf.keys
signed_hash = tuf.keys.create_signature(key_root_pri, hexString)
signature['value'] = signed_hash['sig']
signatures[0] = signature
metadata['signatures'] = signatures
print(metadata.prettyPrint())
before = encoder.encode(metadata)
filename = 'root.cer'
with open(filename, 'wb') as a:
a.write(before)
