def test_generate_and_write_ed25519_keypair(self): # Test normal case. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) test_keypath = os.path.join(temporary_directory, 'ed25519_key') repo_lib.generate_and_write_ed25519_keypair(test_keypath, password='******') self.assertTrue(os.path.exists(test_keypath)) self.assertTrue(os.path.exists(test_keypath + '.pub')) # Ensure the generated key files are importable. imported_pubkey = \ repo_lib.import_ed25519_publickey_from_file(test_keypath + '.pub') self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_pubkey)) imported_privkey = \ repo_lib.import_ed25519_privatekey_from_file(test_keypath, 'pw') self.assertTrue( tuf.formats.ED25519KEY_SCHEMA.matches(imported_privkey)) # Test improperly formatted arguments. self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_ed25519_keypair, 3, password='******') self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_rsa_keypair, test_keypath, password=3)
def test_import_ed25519_privatekey_from_file(self): # Test normal case. # Generate ed25519 keys that can be imported. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key') securesystemslib.interface.generate_and_write_ed25519_keypair( ed25519_keypath, password='******') imported_ed25519_key = \ repo_lib.import_ed25519_privatekey_from_file(ed25519_keypath, 'pw') self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key)) # Test improperly formatted argument. self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.import_ed25519_privatekey_from_file, 3, 'pw') # Test invalid argument. # Non-existent key file. nonexistent_keypath = os.path.join(temporary_directory, 'nonexistent_keypath') self.assertRaises(securesystemslib.exceptions.StorageError, repo_lib.import_ed25519_privatekey_from_file, nonexistent_keypath, 'pw') # Invalid key file argument. invalid_keyfile = os.path.join(temporary_directory, 'invalid_keyfile') with open(invalid_keyfile, 'wb') as file_object: file_object.write(b'bad keyfile') self.assertRaises(securesystemslib.exceptions.Error, repo_lib.import_ed25519_privatekey_from_file, invalid_keyfile, 'pw') # Invalid private key imported (contains unexpected keytype.) imported_ed25519_key['keytype'] = 'invalid_keytype' # Use 'rsa_keys.py' to bypass the key format validation performed by # 'keys.py'. salt, iterations, derived_key = \ securesystemslib.rsa_keys._generate_derived_key('pw') # Store the derived key info in a dictionary, the object expected # by the non-public _encrypt() routine. derived_key_information = {'salt': salt, 'iterations': iterations, 'derived_key': derived_key} # Convert the key object to json string format and encrypt it with the # derived key. encrypted_key = securesystemslib.rsa_keys._encrypt( json.dumps(imported_ed25519_key), derived_key_information) with open(ed25519_keypath, 'wb') as file_object: file_object.write(encrypted_key.encode('utf-8')) self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.import_ed25519_privatekey_from_file, ed25519_keypath, 'pw')
def test_sign_metadata(self): # Test normal case. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) metadata_path = os.path.join('repository_data', 'repository', 'metadata') keystore_path = os.path.join('repository_data', 'keystore') root_filename = os.path.join(metadata_path, 'root.json') root_metadata = tuf.util.load_json_file(root_filename)['signed'] tuf.keydb.create_keydb_from_root_metadata(root_metadata) tuf.roledb.create_roledb_from_root_metadata(root_metadata) root_keyids = tuf.roledb.get_role_keyids('root') root_private_keypath = os.path.join(keystore_path, 'root_key') root_private_key = \ repo_lib.import_rsa_privatekey_from_file(root_private_keypath, 'password') # Sign with a valid, but not a threshold, key. targets_private_keypath = os.path.join(keystore_path, 'targets_key') targets_private_key = \ repo_lib.import_ed25519_privatekey_from_file(targets_private_keypath, 'password') # sign_metadata() expects the private key 'root_metadata' to be in # 'tuf.keydb'. Remove any public keys that may be loaded before # adding private key, otherwise a 'tuf.KeyAlreadyExists' exception is # raised. tuf.keydb.remove_key(root_private_key['keyid']) tuf.keydb.add_key(root_private_key) tuf.keydb.remove_key(targets_private_key['keyid']) tuf.keydb.add_key(targets_private_key) root_keyids.extend(tuf.roledb.get_role_keyids('targets')) # Add the snapshot's public key (to test whether non-private keys are # ignored by sign_metadata()). root_keyids.extend(tuf.roledb.get_role_keyids('snapshot')) root_signable = repo_lib.sign_metadata(root_metadata, root_keyids, root_filename) self.assertTrue(tuf.formats.SIGNABLE_SCHEMA.matches(root_signable)) # Test improperly formatted arguments. self.assertRaises(tuf.FormatError, repo_lib.sign_metadata, 3, root_keyids, 'root.json') self.assertRaises(tuf.FormatError, repo_lib.sign_metadata, root_metadata, 3, 'root.json') self.assertRaises(tuf.FormatError, repo_lib.sign_metadata, root_metadata, root_keyids, 3)
def test_import_ed25519_privatekey_from_file(self): # Test normal case. # Generate ed25519 keys that can be imported. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) ed25519_keypath = os.path.join(temporary_directory, "ed25519_key") repo_lib.generate_and_write_ed25519_keypair(ed25519_keypath, password="******") imported_ed25519_key = repo_lib.import_ed25519_privatekey_from_file(ed25519_keypath, "pw") self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key)) # Test improperly formatted argument. self.assertRaises(tuf.FormatError, repo_lib.import_ed25519_privatekey_from_file, 3, "pw") # Test invalid argument. # Non-existent key file. nonexistent_keypath = os.path.join(temporary_directory, "nonexistent_keypath") self.assertRaises(IOError, repo_lib.import_ed25519_privatekey_from_file, nonexistent_keypath, "pw") # Invalid key file argument. invalid_keyfile = os.path.join(temporary_directory, "invalid_keyfile") with open(invalid_keyfile, "wb") as file_object: file_object.write(b"bad keyfile") self.assertRaises(tuf.Error, repo_lib.import_ed25519_privatekey_from_file, invalid_keyfile, "pw") # Invalid private key imported (contains unexpected keytype.) imported_ed25519_key["keytype"] = "invalid_keytype" # Use 'pycrypto_keys.py' to bypass the key format validation performed by # 'keys.py'. salt, iterations, derived_key = tuf.pycrypto_keys._generate_derived_key("pw") # Store the derived key info in a dictionary, the object expected # by the non-public _encrypt() routine. derived_key_information = {"salt": salt, "iterations": iterations, "derived_key": derived_key} # Convert the key object to json string format and encrypt it with the # derived key. encrypted_key = tuf.pycrypto_keys._encrypt(json.dumps(imported_ed25519_key), derived_key_information) with open(ed25519_keypath, "wb") as file_object: file_object.write(encrypted_key.encode("utf-8")) self.assertRaises(tuf.FormatError, repo_lib.import_ed25519_privatekey_from_file, ed25519_keypath, "pw")
def test_generate_and_write_ed25519_keypair(self): # Test normal case. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) test_keypath = os.path.join(temporary_directory, "ed25519_key") repo_lib.generate_and_write_ed25519_keypair(test_keypath, password="******") self.assertTrue(os.path.exists(test_keypath)) self.assertTrue(os.path.exists(test_keypath + ".pub")) # Ensure the generated key files are importable. imported_pubkey = repo_lib.import_ed25519_publickey_from_file(test_keypath + ".pub") self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_pubkey)) imported_privkey = repo_lib.import_ed25519_privatekey_from_file(test_keypath, "pw") self.assertTrue(tuf.formats.ED25519KEY_SCHEMA.matches(imported_privkey)) # Test improperly formatted arguments. self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_ed25519_keypair, 3, password="******") self.assertRaises(tuf.FormatError, repo_lib.generate_and_write_rsa_keypair, test_keypath, password=3)
def import_ed25519_privatekey_from_file(filepath, password): return repo_lib.import_ed25519_privatekey_from_file(filepath, password)