def ready(self): import director.director as director if not os.path.exists(settings.DIRECTOR_REPO): os.makedirs(settings.DIRECTOR_REPO) keys_pri = {} keys_pub = {} for role in ['root', 'timestamp', 'snapshot']: keys_pri[role] = rt.import_ed25519_privatekey_from_file( os.path.join(settings.KEY_PATH, 'director' + role), password='******') keys_pub[role] = rt.import_ed25519_publickey_from_file( os.path.join(settings.KEY_PATH, 'director' + role + '.pub')) # Because the demo's Director targets key is not named correctly.... # TODO: Remove this and add 'targets' back to the role list above when # the key is correctly renamed. keys_pri['targets'] = rt.import_ed25519_privatekey_from_file( os.path.join(settings.KEY_PATH, 'director'), password='******') keys_pub['targets'] = rt.import_ed25519_publickey_from_file( os.path.join(settings.KEY_PATH, 'director.pub')) settings.DIRECTOR = director.Director( settings.DIRECTOR_REPO, keys_pri['root'], keys_pub['root'], keys_pri['timestamp'], keys_pub['timestamp'], keys_pri['snapshot'], keys_pub['snapshot'], keys_pri['targets'], keys_pub['targets'])
def _load_role_keys(keystore_directory): # Populating 'self.role_keys' by importing the required public and private # keys of 'tuf/tests/repository_data/'. The role keys are needed when # modifying the remote repository used by the test cases in this unit test. # The pre-generated key files in 'repository_data/keystore' are all encrypted with # a 'password' passphrase. EXPECTED_KEYFILE_PASSWORD = '******' # Store and return the cryptography keys of the top-level roles, including 1 # delegated role. role_keys = {} root_key_file = os.path.join(keystore_directory, 'root_key') targets_key_file = os.path.join(keystore_directory, 'targets_key') snapshot_key_file = os.path.join(keystore_directory, 'snapshot_key') timestamp_key_file = os.path.join(keystore_directory, 'timestamp_key') delegation_key_file = os.path.join(keystore_directory, 'delegation_key') role_keys = { 'root': {}, 'targets': {}, 'snapshot': {}, 'timestamp': {}, 'role1': {} } # Import the top-level and delegated role public keys. role_keys['root']['public'] = \ repo_tool.import_rsa_publickey_from_file(root_key_file+'.pub') role_keys['targets']['public'] = \ repo_tool.import_ed25519_publickey_from_file(targets_key_file + '.pub') role_keys['snapshot']['public'] = \ repo_tool.import_ed25519_publickey_from_file(snapshot_key_file + '.pub') role_keys['timestamp']['public'] = \ repo_tool.import_ed25519_publickey_from_file(timestamp_key_file + '.pub') role_keys['role1']['public'] = \ repo_tool.import_ed25519_publickey_from_file(delegation_key_file + '.pub') # Import the private keys of the top-level and delegated roles. role_keys['root']['private'] = \ repo_tool.import_rsa_privatekey_from_file(root_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['targets']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(targets_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['snapshot']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['timestamp']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['role1']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(delegation_key_file, EXPECTED_KEYFILE_PASSWORD) return role_keys
def ready(self): settings.REPO=rt.create_new_repository(settings.IMAGE_REPO) keys_pri = {} keys_pub = {} for role in ['root', 'timestamp', 'snapshot']: keys_pri[role] = rt.import_ed25519_privatekey_from_file(os.path.join(settings.KEY_PATH, 'director' + role),password='******') keys_pub[role] = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'director' + role + '.pub')) # Because the demo's Director targets key is not named correctly.... # TODO: Remove this and add 'targets' back to the role list above when # the key is correctly renamed. keys_pri['targets'] = rt.import_ed25519_privatekey_from_file(os.path.join(settings.KEY_PATH, 'director'),password='******') keys_pub['targets'] = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'director.pub')) settings.REPO.root.add_verification_key(keys_pub['root']) settings.REPO.timestamp.add_verification_key(keys_pub['timestamp']) settings.REPO.snapshot.add_verification_key(keys_pub['snapshot']) settings.REPO.targets.add_verification_key(keys_pub['targets']) settings.REPO.root.load_signing_key(keys_pri['root']) settings.REPO.timestamp.load_signing_key(keys_pri['timestamp']) settings.REPO.snapshot.load_signing_key(keys_pri['snapshot']) settings.REPO.targets.load_signing_key(keys_pri['targets']) repo_dir=settings.IMAGE_REPO targets_json=os.path.join(repo_dir,'metadata','targets.json') if os.path.exists(targets_json): f=open(targets_json) targets_meta=json.loads(f.read()) f.close() targets=targets_meta['signed']['targets'] for key in targets.keys(): filepath=os.path.join(repo_dir,'targets',key[1:]) if os.path.exists(filepath): settings.REPO.targets.add_target(filepath) settings.REPO.mark_dirty(['timestamp', 'snapshot']) settings.REPO.write() # will be writeall() in most recent TUF branch # Move staged metadata (from the write above) to live metadata directory. if os.path.exists(os.path.join(settings.IMAGE_REPO, 'metadata')): shutil.rmtree(os.path.join(settings.IMAGE_REPO, 'metadata')) shutil.copytree( os.path.join(settings.IMAGE_REPO, 'metadata.staged'), os.path.join(settings.IMAGE_REPO, 'metadata'))
def write_and_import_keypair(filename): pathpriv = 'tufkeystore/{}_key'.format(filename) pathpub = '{}.pub'.format(pathpriv) rt.generate_and_write_ed25519_keypair(password='******', filepath=pathpriv) public_key = rt.import_ed25519_publickey_from_file(pathpub) private_key = rt.import_ed25519_privatekey_from_file(password='******', filepath=pathpriv) return (public_key, private_key)
def loadkey(filename): pathpriv = 'tufkeystore/{}_key'.format(filename) pathpub = '{}.pub'.format(pathpriv) public_key = rt.import_ed25519_publickey_from_file(pathpub) private_key = rt.import_ed25519_privatekey_from_file(password='******', filepath=pathpriv) return (public_key, private_key)
def test(self): vin = 'democar' settings.DIRECTOR.add_new_vehicle(vin) primary_serial = 'INFOdemocar' secondary_serial = 'TCUdemocar' primary_pub = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'primary.pub')) secondary_pub = rt.import_ed25519_publickey_from_file(os.path.join(settings.KEY_PATH, 'secondary.pub')) settings.DIRECTOR.register_ecu_serial(primary_serial,primary_pub,vin,True) settings.DIRECTOR.register_ecu_serial(secondary_serial,secondary_pub,vin,False) manifest_json = { "signatures": [{ "keyid": "9a406d99e362e7c93e7acfe1e4d6585221315be817f350c026bbee84ada260da", "method": "ed25519", "sig": "335272f77357dc0e9f1b74d72eb500e4ff0f443f824b83405e2b21264778d1610e0a5f2663b90eda8ab05a28b5b64fc15514020985d8a93576fe33b287e1380f"}], "signed": { "primary_ecu_serial": "INFOdemocar", "vin": "democar", "ecu_version_manifests": { "TCUdemocar": [{ "signatures": [{ "keyid": "49309f114b857e4b29bfbff1c1c75df59f154fbc45539b2eb30c8a867843b2cb", "method": "ed25519", "sig": "fd04c1edb0ddf1089f0d3fc1cd460af584e548b230d9c290deabfaf29ce5636b6b897eaa97feb64147ac2214c176bbb1d0fa8bb9c623011a0e48d258eb3f9108"}], "signed": { "attacks_detected": "", "ecu_serial": "TCUdemocar", "previous_timeserver_time": "2017-05-18T16:37:46Z", "timeserver_time": "2017-05-18T16:37:48Z", "installed_image": { "filepath": "/secondary_firmware.txt", "fileinfo": { "length": 37, "hashes": { "sha256": "6b9f987226610bfed08b824c93bf8b2f59521fce9a2adef80c495f363c1c9c44", "sha512": "706c283972c5ae69864b199e1cdd9b4b8babc14f5a454d0fd4d3b35396a04ca0b40af731671b74020a738b5108a78deb032332c36d6ae9f31fae2f8a70f7e1ce"}}}}}]}}} settings.DIRECTOR.register_vehicle_manifest('democar', 'INFOdemocar', manifest_json) settings.DIRECTOR.register_vehicle_manifest('democar', 'TCUdemocar', manifest_json)
def import_keypair(name): dir = path.join(os.getcwd(), 'keys') private_path = path.join(dir, name) public_path = private_path + '.pub' # Load the keys into TUF. public = rt.import_ed25519_publickey_from_file(public_path) private = rt.import_ed25519_privatekey_from_file(private_path, password='******') return (public, private)
def import_public_key(keyname): """ Import a public key according to the demo's current default key config. The keyname does not include '.pub'; it matches that used for the other functions here. Key type: ed25519 Key location: DEMO_KEYS_DIR """ return rt.import_ed25519_publickey_from_file( os.path.join(DEMO_KEYS_DIR, keyname + '.pub'))
def write_and_import_keypair(self, name_dst): # Identify the paths for the next pre-generated keypair. pathpriv_src = os.path.join(os.path.dirname(os.path.realpath( __file__)), 'fixture_keys', '{}_key'.format(self.next_keypair_index)) pathpub_src = '{}.pub'.format(pathpriv_src) self.next_keypair_index += 1 print('Using key {} for {}'.format(pathpriv_src, name_dst)) # Load the keys into TUF. public_key = rt.import_ed25519_publickey_from_file(pathpub_src) private_key = rt.import_ed25519_privatekey_from_file( pathpriv_src, password='******') return (public_key, private_key)
def import_public_key(keyname): """ Import a public key according to the demo's current default key config. The keyname does not include '.pub'; it matches that used for the other functions here. Key type: ed25519 Key location: DEMO_KEYS_DIR """ I_TO_PRINT = TO_PRINT + uptane.YELLOW + '[import_public_key()]: ' + uptane.ENDCOLORS #TODO: Print to be deleted print( str('%s %s %s' % (I_TO_PRINT, 'Importing public key keyname:', keyname))) #TODO: Until here return rt.import_ed25519_publickey_from_file( os.path.join(DEMO_KEYS_DIR, keyname + '.pub'))
def test_root_role_versioning(self): # Test root role versioning # # 1. Import public and private keys. # 2. Add verification keys. # 3. Load signing keys. # 4. Add target files. # 5. Perform delegation. # 6. writeall() # # Copy the target files from 'tuf/tests/repository_data' so that writeall() # has target fileinfo to include in metadata. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) targets_directory = os.path.join(temporary_directory, 'repository', repo_tool.TARGETS_DIRECTORY_NAME) original_targets_directory = os.path.join('repository_data', 'repository', 'targets') shutil.copytree(original_targets_directory, targets_directory) # In this case, create_new_repository() creates the 'repository/' # sub-directory in 'temporary_directory' if it does not exist. repository_directory = os.path.join(temporary_directory, 'repository') metadata_directory = os.path.join(repository_directory, repo_tool.METADATA_STAGED_DIRECTORY_NAME) repository = repo_tool.create_new_repository(repository_directory) # (1) Load the public and private keys of the top-level roles, and one # delegated role. keystore_directory = os.path.join('repository_data', 'keystore') # Load the public keys. root_pubkey_path = os.path.join(keystore_directory, 'root_key.pub') targets_pubkey_path = os.path.join(keystore_directory, 'targets_key.pub') snapshot_pubkey_path = os.path.join(keystore_directory, 'snapshot_key.pub') timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub') role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub') root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path) targets_pubkey = repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path) snapshot_pubkey = \ repo_tool.import_ed25519_publickey_from_file(snapshot_pubkey_path) timestamp_pubkey = \ repo_tool.import_ed25519_publickey_from_file(timestamp_pubkey_path) role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path) # Load the private keys. root_privkey_path = os.path.join(keystore_directory, 'root_key') targets_privkey_path = os.path.join(keystore_directory, 'targets_key') snapshot_privkey_path = os.path.join(keystore_directory, 'snapshot_key') timestamp_privkey_path = os.path.join(keystore_directory, 'timestamp_key') role1_privkey_path = os.path.join(keystore_directory, 'delegation_key') root_privkey = \ repo_tool.import_rsa_privatekey_from_file(root_privkey_path, 'password') targets_privkey = \ repo_tool.import_ed25519_privatekey_from_file(targets_privkey_path, 'password') snapshot_privkey = \ repo_tool.import_ed25519_privatekey_from_file(snapshot_privkey_path, 'password') timestamp_privkey = \ repo_tool.import_ed25519_privatekey_from_file(timestamp_privkey_path, 'password') role1_privkey = \ repo_tool.import_ed25519_privatekey_from_file(role1_privkey_path, 'password') # (2) Add top-level verification keys. repository.root.add_verification_key(root_pubkey) repository.targets.add_verification_key(targets_pubkey) repository.snapshot.add_verification_key(snapshot_pubkey) repository.timestamp.add_verification_key(timestamp_pubkey) # (3) Load top-level signing keys. repository.root.load_signing_key(root_privkey) repository.targets.load_signing_key(targets_privkey) repository.snapshot.load_signing_key(snapshot_privkey) repository.timestamp.load_signing_key(timestamp_privkey) # (4) Add target files. target1 = 'file1.txt' target2 = 'file2.txt' target3 = 'file3.txt' repository.targets.add_target(target1) repository.targets.add_target(target2) # (5) Perform delegation. repository.targets.delegate('role1', [role1_pubkey], [target3]) repository.targets('role1').load_signing_key(role1_privkey) # (6) Write repository. repository.writeall() self.assertTrue(os.path.exists(os.path.join(metadata_directory, 'root.json'))) self.assertTrue(os.path.exists(os.path.join(metadata_directory, '1.root.json'))) # Verify that the expected metadata is written. root_filepath = os.path.join(metadata_directory, 'root.json') root_1_filepath = os.path.join(metadata_directory, '1.root.json') root_2_filepath = os.path.join(metadata_directory, '2.root.json') old_root_signable = securesystemslib.util.load_json_file(root_filepath) root_1_signable = securesystemslib.util.load_json_file(root_1_filepath) # Make a change to the root keys repository.root.add_verification_key(targets_pubkey) repository.root.load_signing_key(targets_privkey) repository.root.threshold = 2 repository.writeall() new_root_signable = securesystemslib.util.load_json_file(root_filepath) root_2_signable = securesystemslib.util.load_json_file(root_2_filepath) for role_signable in [old_root_signable, new_root_signable, root_1_signable, root_2_signable]: # Raise 'securesystemslib.exceptions.FormatError' if 'role_signable' is an # invalid signable. tuf.formats.check_signable_object_format(role_signable) # Verify contents of versioned roots self.assertEqual(old_root_signable, root_1_signable) self.assertEqual(new_root_signable, root_2_signable) self.assertEqual(root_1_signable['signed']['version'], 1) self.assertEqual(root_2_signable['signed']['version'], 2) repository.root.remove_verification_key(root_pubkey) repository.root.unload_signing_key(root_privkey) repository.root.threshold = 2 # Errors, not enough signing keys to satisfy old threshold self.assertRaises(tuf.exceptions.UnsignedMetadataError, repository.writeall) # No error, write() ignore's root's threshold and allows it to be written # to disk partially signed. repository.write('root')
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)) signature = Signature() signature['keyid'] = rootPublicKey['publicKeyid'] signature['method'] = int(SignatureMethod('ed25519')) hash = Hash().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)) hash['function'] = int(HashFunction('sha256')) digest = BinaryData().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1)) hexString = hashlib.sha256(encoder.encode(signed)).hexdigest() digest['hexString'] = hexString hash['digest'] = digest signature['hash'] = hash import tuf.repository_tool as rt key_root_pub = rt.import_ed25519_publickey_from_file('mainroot.pub') key_root_pri = rt.import_ed25519_privatekey_from_file('mainroot', password='******') import tuf.keys signed_hash = tuf.keys.create_signature(key_root_pri, hexString) signature['value'] = signed_hash['sig'] signatures[0] = signature metadata['signatures'] = signatures print(metadata.prettyPrint()) before = encoder.encode(metadata) filename = 'root.cer' with open(filename, 'wb') as a: a.write(before)