def generate_rsa_keys(passwords):
"""Return the IDs of RSA keys encrypted in order with the given passwords."""
rsa_keys = []
for password in passwords:
# Generate the RSA key and save it to 'keystore_directory'.
rsa_key = \
signerlib.generate_and_save_rsa_key(keystore_directory=KEYSTORE_DIRECTORY,
password=password, bits=KEY_SIZE)
rsa_key_id = rsa_key['keyid']
rsa_keys.append(rsa_key_id)
return rsa_keys
def generate_rsa_keys(passwords):
"""Return the IDs of RSA keys encrypted in order with the given passwords."""
rsa_keys = []
for password in passwords:
# Generate the RSA key and save it to 'keystore_directory'.
rsa_key = \
signerlib.generate_and_save_rsa_key(keystore_directory=KEYSTORE_DIRECTORY,
password=password, bits=KEY_SIZE)
rsa_key_id = rsa_key['keyid']
rsa_keys.append(rsa_key_id)
return rsa_keys
def test_1_generate_and_save_rsa_key(self):
"""
generate_and_save_rsa_key() is independent from all the other methods in
signerlib. In order to test this method all we need is to create a temp
directory and a sample password.
"""
# SETUP
keystore_dir = self.make_temp_directory()
password = self.random_string()
# TESTS
# Test: Run generate_and_save_rsa_key().
rsakey = signerlib.generate_and_save_rsa_key(keystore_dir, password)
self.assertTrue(formats.RSAKEY_SCHEMA.matches(rsakey))
# Test: Check if rsa key file was created.
key_path = os.path.join(keystore_dir, rsakey["keyid"] + ".key")
self.assertTrue(os.path.exists(key_path))
def test_1_generate_and_save_rsa_key(self):
"""
generate_and_save_rsa_key() is independent from all the other methods in
signerlib. In order to test this method all we need is to create a temp
directory and a sample password.
"""
# SETUP
keystore_dir = self.make_temp_directory()
password = self.random_string()
# TESTS
# Test: Run generate_and_save_rsa_key().
rsakey = signerlib.generate_and_save_rsa_key(keystore_dir, password)
self.assertTrue(formats.RSAKEY_SCHEMA.matches(rsakey))
# Test: Check if rsa key file was created.
key_path = os.path.join(keystore_dir, rsakey['keyid'] + '.key')
self.assertTrue(os.path.exists(key_path))
def _make_delegation(rolename):
expiration_date = tuf.formats.format_time(time.time()+86400)
expiration_date = expiration_date[0:expiration_date.rfind(' UTC')]
# Indicate which file client downloads.
rel_filepath = os.path.relpath(roles[rolename]['filepath'], reg_repo)
roles[rolename]['target_path'] = os.path.join(targets_dir, rel_filepath)
rolepath, file_basename = os.path.split(roles[rolename]['filepath'])
junk, role_relpath = os.path.split(rolepath)
roles[rolename]['targets_dir'] = os.path.join(targets_dir, role_relpath)
roles[rolename]['metadata_dir'] = os.path.join(metadata_dir, 'targets')
# Create a key to sign a new delegated role.
password = roles[rolename]['password'][0]
key = signerlib.generate_and_save_rsa_key(keystore_dir, password)
roles[rolename]['keyid'] = [key['keyid']]
roles[rolename]['dest_path'] = os.path.join(downloads_dir, file_basename)
# Create delegation one.
util_test_tools.create_delegation(tuf_repo,
roles[rolename]['targets_dir'],
roles[rolename]['keyid'], password,
'targets', rolename, expiration_date)
# Update TUF repository.
# util_test_tools.make_targets_meta(root_repo)
util_test_tools.make_release_meta(root_repo)
util_test_tools.make_timestamp_meta(root_repo)
# Modify the url. Remember that the interposition will intercept
# urls that have 'localhost:9999' hostname, which was specified in
# the json interposition configuration file. Look for 'hostname'
# in 'util_test_tools.py'. Further, the 'file_basename' is the target
# path relative to 'targets_dir'.
roles[rolename]['url'] = 'http://localhost:9999/'+rel_filepath
# Perform a client download.
urllib_tuf.urlretrieve(roles[rolename]['url'],
roles[rolename]['dest_path'])
def init_tuf(root_repo):
"""
<Purpose>
Setup TUF directory structure and populated it with TUF metadata and
congfiguration files.
"""
threshold = 1
global version
version = version+1
expiration = tuf.formats.format_time(time.time()+86400)
# Setup TUF-repo directory structure.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
os.mkdir(tuf_repo)
os.mkdir(keystore_dir)
os.mkdir(metadata_dir)
shutil.copytree(os.path.join(root_repo, 'reg_repo'), targets_dir)
# Setting TUF-client directory structure.
# 'tuf.client.updater.py' expects the 'current' and 'previous'
# directories to exist under client's 'metadata' directory.
tuf_client = os.path.join(root_repo, 'tuf_client')
tuf_client_metadata_dir = os.path.join(tuf_client, 'metadata')
current_dir = os.path.join(tuf_client_metadata_dir, 'current')
previous_dir = os.path.join(tuf_client_metadata_dir, 'previous')
os.makedirs(tuf_client_metadata_dir)
# Generate at least one rsa key.
key = signerlib.generate_and_save_rsa_key(keystore_dir, PASSWD)
keyids = [key['keyid']]
# Set role info.
info = {'keyids': [key['keyid']], 'threshold': threshold}
# 'role_info' dictionary looks like this:
# {role : {'keyids : [keyid1, ...] , 'threshold' : 1}}
# In our case 'role_info[keyids]' will only have on entry since only one
# is being used.
role_info = {}
role_list = ['root', 'targets', 'release', 'timestamp']
for role in role_list:
role_info[role] = info
# At this point there is enough information to create TUF configuration
# and metadata files.
# Build the configuration file.
conf_path = signerlib.build_config_file(metadata_dir, 365, role_info)
# Generate the 'root.txt' metadata file.
signerlib.build_root_file(conf_path, keyids, metadata_dir, version)
# Generate the 'targets.txt' metadata file.
signerlib.build_targets_file([targets_dir], keyids, metadata_dir, version,
expiration)
# Generate the 'release.txt' metadata file.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
# Generate the 'timestamp.txt' metadata file.
signerlib.build_timestamp_file(keyids, metadata_dir, version, expiration)
# Move the metadata to the client's 'current' and 'previous' directories.
shutil.copytree(metadata_dir, current_dir)
shutil.copytree(metadata_dir, previous_dir)
# The repository is now setup!
return keyids
def setUp(self):
"""
The target delegations tree is fixed as such:
targets -> [T1, T2]
T1 -> [T3]
"""
global version
version = version+1
expiration = tuf.formats.format_time(time.time()+86400)
root_repo, url, server_proc, keyids = util_test_tools.init_repo(tuf=True)
# Server side repository.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
# We need to provide clients with a way to reach the tuf repository.
tuf_repo_relpath = os.path.basename(tuf_repo)
tuf_url = url+tuf_repo_relpath
# Add files to the server side repository.
# target1 = 'targets_dir/[random].txt'
# target2 = 'targets_dir/[random].txt'
add_target = util_test_tools.add_file_to_repository
target1_path = add_target(targets_dir, data='target1')
target2_path = add_target(targets_dir, data='target2')
# Target paths relative to the 'targets_dir'.
# Ex: targetX = 'targets/delegator/delegatee.txt'
target1 = os.path.relpath(target1_path, tuf_repo)
target2 = os.path.relpath(target2_path, tuf_repo)
# Relative to repository's targets directory.
target_filepaths = [target1, target2]
# Store in self only the variables relevant for tests.
self.root_repo = root_repo
self.tuf_repo = tuf_repo
self.server_proc = server_proc
self.target_filepaths = target_filepaths
# Targets delegated from A to B.
self.delegated_targets = {}
# Targets actually signed by B.
self.signed_targets = {}
self.mirrors = {
"mirror1": {
"url_prefix": tuf_url,
"metadata_path": "metadata",
"targets_path": "targets",
"confined_target_dirs": [""]
}
}
# Aliases for targets roles.
self.T0 = 'targets'
self.T1 = 'targets/T1'
self.T2 = 'targets/T2'
self.T3 = 'targets/T1/T3'
# Get tracked and assigned targets, and generate targets metadata.
self.make_targets_metadata()
assert hasattr(self, 'T0_metadata')
assert hasattr(self, 'T1_metadata')
assert hasattr(self, 'T2_metadata')
assert hasattr(self, 'T3_metadata')
# Make delegation directories at the server's repository.
metadata_targets_dir = os.path.join(metadata_dir, 'targets')
metadata_T1_dir = os.path.join(metadata_targets_dir, 'T1')
os.makedirs(metadata_T1_dir)
# Delegations metadata paths for the 3 delegated targets roles.
T0_path = os.path.join(metadata_dir, 'targets.txt')
T1_path = os.path.join(metadata_targets_dir, 'T1.txt')
T2_path = os.path.join(metadata_targets_dir, 'T2.txt')
T3_path = os.path.join(metadata_T1_dir, 'T3.txt')
# Generate RSA keys for the 3 delegatees.
key1 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T1')
key2 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T2')
key3 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T3')
# ID for each of the 3 keys.
key1_id = key1['keyid']
key2_id = key2['keyid']
key3_id = key3['keyid']
# ID, in a list, for each of the 3 keys.
key1_ids = [key1_id]
key2_ids = [key2_id]
key3_ids = [key3_id]
# Public-key JSON for each of the 3 keys.
key1_val = tuf.rsa_key.create_in_metadata_format(key1['keyval'])
key2_val = tuf.rsa_key.create_in_metadata_format(key2['keyval'])
key3_val = tuf.rsa_key.create_in_metadata_format(key3['keyval'])
# Create delegation role metadata for each of the 3 delegated targets roles.
make_role_metadata = tuf.formats.make_role_metadata
T1_targets = self.relpath_from_targets(self.delegated_targets[self.T1])
T1_role = make_role_metadata(key1_ids, 1, name=self.T1, paths=T1_targets)
T2_targets = self.relpath_from_targets(self.delegated_targets[self.T2])
T2_role = make_role_metadata(key2_ids, 1, name=self.T2, paths=T2_targets)
T3_targets = self.relpath_from_targets(self.delegated_targets[self.T3])
T3_role = make_role_metadata(key3_ids, 1, name=self.T3, paths=T3_targets)
# Assign 'delegations' object for 'targets':
self.T0_metadata['signed']['delegations'] = {
'keys': {key1_id: key1_val, key2_id: key2_val},
'roles': [T1_role, T2_role]
}
# Assign 'delegations' object for 'targets/T1':
self.T1_metadata['signed']['delegations'] = {
'keys': {key3_id: key3_val},
'roles': [T3_role]
}
sign = signerlib.sign_metadata
write = signerlib.write_metadata_file
# Sign new metadata objects.
T0_signable = sign(self.T0_metadata, keyids, T0_path)
T1_signable = sign(self.T1_metadata, key1_ids, T1_path)
T2_signable = sign(self.T2_metadata, key2_ids, T2_path)
T3_signable = sign(self.T3_metadata, key3_ids, T3_path)
# Save new metadata objects.
write(T0_signable, T0_path)
write(T1_signable, T1_path)
write(T2_signable, T2_path)
write(T3_signable, T3_path)
# Timestamp a new release to reflect latest targets.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
signerlib.build_timestamp_file(keyids, metadata_dir, version, expiration)
# Unload all keys.
keystore.clear_keystore()
def setUp(self):
"""
The target delegations tree is fixed as such:
targets -> [T1, T2]
T1 -> [T3]
"""
global version
version = version + 1
expiration = tuf.formats.format_time(time.time() + 86400)
root_repo, url, server_proc, keyids = util_test_tools.init_repo(
tuf=True)
# Server side repository.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
# We need to provide clients with a way to reach the tuf repository.
tuf_repo_relpath = os.path.basename(tuf_repo)
tuf_url = url + tuf_repo_relpath
# Add files to the server side repository.
# target1 = 'targets_dir/[random].txt'
# target2 = 'targets_dir/[random].txt'
add_target = util_test_tools.add_file_to_repository
target1_path = add_target(targets_dir, data='target1')
target2_path = add_target(targets_dir, data='target2')
# Target paths relative to the 'targets_dir'.
# Ex: targetX = 'targets/delegator/delegatee.txt'
target1 = os.path.relpath(target1_path, tuf_repo)
target2 = os.path.relpath(target2_path, tuf_repo)
# Relative to repository's targets directory.
target_filepaths = [target1, target2]
# Store in self only the variables relevant for tests.
self.root_repo = root_repo
self.tuf_repo = tuf_repo
self.server_proc = server_proc
self.target_filepaths = target_filepaths
# Targets delegated from A to B.
self.delegated_targets = {}
# Targets actually signed by B.
self.signed_targets = {}
self.mirrors = {
"mirror1": {
"url_prefix": tuf_url,
"metadata_path": "metadata",
"targets_path": "targets",
"confined_target_dirs": [""]
}
}
# Aliases for targets roles.
self.T0 = 'targets'
self.T1 = 'targets/T1'
self.T2 = 'targets/T2'
self.T3 = 'targets/T1/T3'
# Get tracked and assigned targets, and generate targets metadata.
self.make_targets_metadata()
assert hasattr(self, 'T0_metadata')
assert hasattr(self, 'T1_metadata')
assert hasattr(self, 'T2_metadata')
assert hasattr(self, 'T3_metadata')
# Make delegation directories at the server's repository.
metadata_targets_dir = os.path.join(metadata_dir, 'targets')
metadata_T1_dir = os.path.join(metadata_targets_dir, 'T1')
os.makedirs(metadata_T1_dir)
# Delegations metadata paths for the 3 delegated targets roles.
T0_path = os.path.join(metadata_dir, 'targets.txt')
T1_path = os.path.join(metadata_targets_dir, 'T1.txt')
T2_path = os.path.join(metadata_targets_dir, 'T2.txt')
T3_path = os.path.join(metadata_T1_dir, 'T3.txt')
# Generate RSA keys for the 3 delegatees.
key1 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T1')
key2 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T2')
key3 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T3')
# ID for each of the 3 keys.
key1_id = key1['keyid']
key2_id = key2['keyid']
key3_id = key3['keyid']
# ID, in a list, for each of the 3 keys.
key1_ids = [key1_id]
key2_ids = [key2_id]
key3_ids = [key3_id]
# Public-key JSON for each of the 3 keys.
key1_val = tuf.rsa_key.create_in_metadata_format(key1['keyval'])
key2_val = tuf.rsa_key.create_in_metadata_format(key2['keyval'])
key3_val = tuf.rsa_key.create_in_metadata_format(key3['keyval'])
# Create delegation role metadata for each of the 3 delegated targets roles.
make_role_metadata = tuf.formats.make_role_metadata
T1_targets = self.relpath_from_targets(self.delegated_targets[self.T1])
T1_role = make_role_metadata(key1_ids,
1,
name=self.T1,
paths=T1_targets)
T2_targets = self.relpath_from_targets(self.delegated_targets[self.T2])
T2_role = make_role_metadata(key2_ids,
1,
name=self.T2,
paths=T2_targets)
T3_targets = self.relpath_from_targets(self.delegated_targets[self.T3])
T3_role = make_role_metadata(key3_ids,
1,
name=self.T3,
paths=T3_targets)
# Assign 'delegations' object for 'targets':
self.T0_metadata['signed']['delegations'] = {
'keys': {
key1_id: key1_val,
key2_id: key2_val
},
'roles': [T1_role, T2_role]
}
# Assign 'delegations' object for 'targets/T1':
self.T1_metadata['signed']['delegations'] = {
'keys': {
key3_id: key3_val
},
'roles': [T3_role]
}
sign = signerlib.sign_metadata
write = signerlib.write_metadata_file
# Sign new metadata objects.
T0_signable = sign(self.T0_metadata, keyids, T0_path)
T1_signable = sign(self.T1_metadata, key1_ids, T1_path)
T2_signable = sign(self.T2_metadata, key2_ids, T2_path)
T3_signable = sign(self.T3_metadata, key3_ids, T3_path)
# Save new metadata objects.
write(T0_signable, T0_path)
write(T1_signable, T1_path)
write(T2_signable, T2_path)
write(T3_signable, T3_path)
# Timestamp a new release to reflect latest targets.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
signerlib.build_timestamp_file(keyids, metadata_dir, version,
expiration)
# Unload all keys.
keystore.clear_keystore()
def init_tuf(root_repo):
"""
<Purpose>
Setup TUF directory structure and populated it with TUF metadata and
congfiguration files.
"""
threshold = 1
global version
version = version + 1
expiration = tuf.formats.format_time(time.time() + 86400)
# Setup TUF-repo directory structure.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
os.mkdir(tuf_repo)
os.mkdir(keystore_dir)
os.mkdir(metadata_dir)
shutil.copytree(os.path.join(root_repo, 'reg_repo'), targets_dir)
# Setting TUF-client directory structure.
# 'tuf.client.updater.py' expects the 'current' and 'previous'
# directories to exist under client's 'metadata' directory.
tuf_client = os.path.join(root_repo, 'tuf_client')
tuf_client_metadata_dir = os.path.join(tuf_client, 'metadata')
current_dir = os.path.join(tuf_client_metadata_dir, 'current')
previous_dir = os.path.join(tuf_client_metadata_dir, 'previous')
os.makedirs(tuf_client_metadata_dir)
# Generate at least one rsa key.
key = signerlib.generate_and_save_rsa_key(keystore_dir, PASSWD)
keyids = [key['keyid']]
# Set role info.
info = {'keyids': [key['keyid']], 'threshold': threshold}
# 'role_info' dictionary looks like this:
# {role : {'keyids : [keyid1, ...] , 'threshold' : 1}}
# In our case 'role_info[keyids]' will only have on entry since only one
# is being used.
role_info = {}
role_list = ['root', 'targets', 'release', 'timestamp']
for role in role_list:
role_info[role] = info
# At this point there is enough information to create TUF configuration
# and metadata files.
# Build the configuration file.
conf_path = signerlib.build_config_file(metadata_dir, 365, role_info)
# Generate the 'root.txt' metadata file.
signerlib.build_root_file(conf_path, keyids, metadata_dir, version)
# Generate the 'targets.txt' metadata file.
signerlib.build_targets_file([targets_dir], keyids, metadata_dir, version,
expiration)
# Generate the 'release.txt' metadata file.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
# Generate the 'timestamp.txt' metadata file.
signerlib.build_timestamp_file(keyids, metadata_dir, version, expiration)
# Move the metadata to the client's 'current' and 'previous' directories.
shutil.copytree(metadata_dir, current_dir)
shutil.copytree(metadata_dir, previous_dir)
# The repository is now setup!
return keyids
def init_tuf(root_repo, url, port):
"""
<Purpose>
Setup TUF directory structure and populated it with TUF metadata and
congfiguration files.
"""
passwd = 'test'
threshold = 1
# Setup TUF-repo directory structure.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
os.mkdir(tuf_repo)
os.mkdir(keystore_dir)
os.mkdir(metadata_dir)
shutil.copytree(os.path.join(root_repo, 'reg_repo'), targets_dir)
# Setting TUF-client directory structure.
# 'tuf.client.updater.py' expects the 'current' and 'previous'
# directories to exist under client's 'metadata' directory.
tuf_client = os.path.join(root_repo, 'tuf_client')
tuf_client_metadata_dir = os.path.join(tuf_client, 'metadata')
current_dir = os.path.join(tuf_client_metadata_dir, 'current')
previous_dir = os.path.join(tuf_client_metadata_dir, 'previous')
os.makedirs(tuf_client_metadata_dir)
# Generate at least one rsa key.
key = signerlib.generate_and_save_rsa_key(keystore_dir, passwd)
keyids = [key['keyid']]
# Set role info.
info = {'keyids': [key['keyid']], 'threshold': threshold}
# 'role_info' dictionary looks like this:
# {role : {'keyids : [keyid1, ...] , 'threshold' : 1}}
# In our case 'role_info[keyids]' will only have on entry since only one
# is being used.
role_info = {}
role_list = ['root', 'targets', 'release', 'timestamp']
for role in role_list:
role_info[role] = info
# At this point there is enough information to create TUF configuration
# and metadata files.
# Build the configuration file.
conf_path = signerlib.build_config_file(metadata_dir, 365, role_info)
# Generate the 'root.txt' metadata file.
signerlib.build_root_file(conf_path, keyids, metadata_dir)
# Generate the 'targets.txt' metadata file.
signerlib.build_targets_file(targets_dir, keyids, metadata_dir)
# Generate the 'release.txt' metadata file.
signerlib.build_release_file(keyids, metadata_dir)
# Generate the 'timestamp.txt' metadata file.
signerlib.build_timestamp_file(keyids, metadata_dir)
# Move the metadata to the client's 'current' and 'previous' directories.
shutil.copytree(metadata_dir, current_dir)
shutil.copytree(metadata_dir, previous_dir)
# The repository is now setup!
# Here is a mirrors dictionary that will allow a client to seek out
# places to download the metadata and targets from.
tuf_repo_relpath = os.path.basename(tuf_repo)
tuf_url = url+tuf_repo_relpath
mirrors = {'mirror1': {'url_prefix': tuf_url,
'metadata_path': 'metadata',
'targets_path': 'targets',
'confined_target_dirs': ['']}}
# Adjusting configuration file (tuf.conf.py).
tuf.conf.repository_directory = tuf_client
# In order to implement interposition we need to have a config file with
# the following dictionary JSON-serialized.
# tuf_url: http://localhost:port/root_repo/tuf_repo/
hostname = 'localhost:9999'
interposition_dict = {"configurations":
{hostname:
{"repository_directory": tuf_client+'/',
"repository_mirrors" :
{"mirror1":
{"url_prefix": tuf_url,
"metadata_path": "metadata",
"targets_path": "targets",
"confined_target_dirs": [ "" ]}}}}}
# "target_paths": [ { "(.*\\.html)": "{0}" } ]
junk, interpose_json = tempfile.mkstemp(prefix='conf_', dir=root_repo)
with open(interpose_json, 'wb') as fileobj:
tuf.util.json.dump(interposition_dict, fileobj)
tuf.interposition.configure(filename=interpose_json)
return keyids