def create_key_mgr(self, keys): private_key_key_mgr = cct_common.PrivateKey.from_hex( keys["key_mgr"][0]["private"]) pkg_mgr_pub_keys = [k["public"] for k in keys["pkg_mgr"]] key_mgr = cct_metadata_construction.build_delegating_metadata( metadata_type="key_mgr", # 'root' or 'key_mgr' delegations={ "pkg_mgr": { "pubkeys": pkg_mgr_pub_keys, "threshold": 1 } }, version=1, # timestamp default: now # expiration default: now plus root expiration default duration ) key_mgr = cct_signing.wrap_as_signable(key_mgr) # sign dictionary in place cct_signing.sign_signable(key_mgr, private_key_key_mgr) key_mgr_serialized = cct_common.canonserialize(key_mgr) with open(self.folder / "key_mgr.json", "wb") as fobj: fobj.write(key_mgr_serialized) # let's run a verification root_metadata = cct_common.load_metadata_from_file(self.folder / "1.root.json") key_mgr_metadata = cct_common.load_metadata_from_file(self.folder / "key_mgr.json") cct_common.checkformat_signable(root_metadata) if "delegations" not in root_metadata["signed"]: raise ValueError('Expected "delegations" entry in root metadata.') root_delegations = root_metadata["signed"][ "delegations"] # for brevity cct_common.checkformat_delegations(root_delegations) if "key_mgr" not in root_delegations: raise ValueError( 'Missing expected delegation to "key_mgr" in root metadata.') cct_common.checkformat_delegation(root_delegations["key_mgr"]) # Doing delegation processing. cct_authentication.verify_delegation("key_mgr", key_mgr_metadata, root_metadata) console.print( "[green]Success: key mgr metadata verified based on root metadata." ) return key_mgr
def demo_verify_key_mgr_using_root(key_mgr_metadata, root_metadata): # Some argument validation cct_common.checkformat_signable(root_metadata) if 'delegations' not in root_metadata['signed']: raise ValueError('Expected "delegations" entry in root metadata.') root_delegations = root_metadata['signed']['delegations'] # for brevity cct_common.checkformat_delegations(root_delegations) if 'key_mgr' not in root_delegations: raise ValueError( 'Missing expected delegation to "key_mgr" in root metadata.') cct_common.checkformat_delegation(root_delegations['key_mgr']) # Doing delegation processing. cct_authentication.verify_delegation('key_mgr', key_mgr_metadata, root_metadata) print('\n-- Success: key mgr metadata verified based on root metadata.')
def demo_verify_pkg_sig_via_key_mgr(key_mgr): packages = { "pytorch-1.2.0-cuda92py27hd3e106c_0.tar.bz2": { "build": "cuda92py27hd3e106c_0", "build_number": 0, "depends": [ "_pytorch_select 0.2", "blas 1.0 mkl", "cffi", "cudatoolkit 9.2.*", "cudnn >=7.3.0,<=8.0a0", "future", "libgcc-ng >=7.3.0", "libstdcxx-ng >=7.3.0", "mkl >=2019.4,<2021.0a0", "mkl-service >=2,<3.0a0", "ninja", "numpy >=1.11.3,<2.0a0", "python >=2.7,<2.8.0a0" ], "license": "BSD 3-Clause", "license_family": "BSD", "md5": "793c6af90ed62c964e28b046e0b071c6", "name": "pytorch", "sha256": "a53f772a224485df7436d4b2aa2c5d44e249e2fb43eee98831eeaaa51a845697", "size": 282176733, "subdir": "linux-64", "timestamp": 1566783471689, "version": "1.2.0" } } print('\n\n\nHere is a sample package entry from repodata.json:') from pprint import pprint pprint(packages) junk = input_func('\n\nNext: sign it with the pkg_mgr key.') signable = cct_signing.wrap_as_signable( packages['pytorch-1.2.0-cuda92py27hd3e106c_0.tar.bz2']) # Sign in place. cct_signing.sign_signable( signable, cct_common.PrivateKey.from_hex( 'f3cdab14740066fb277651ec4f96b9f6c3e3eb3f812269797b9656074cd52133') ) print('Signed envelope around this pytorch package metadata:\n\n') pprint(signable) junk = input_func( '\n\nNext: verify the signature based on what the now-trusted ' 'key manager role told us to expect.\n') # Some argument validation for the key manager role. cct_common.checkformat_signable(key_mgr) if 'delegations' not in key_mgr['signed']: raise ValueError( 'Expected "delegations" entry in key manager metadata.') key_mgr_delegations = key_mgr['signed']['delegations'] # for brevity cct_common.checkformat_delegations(key_mgr_delegations) if 'pkg_mgr' not in key_mgr_delegations: raise ValueError( 'Missing expected delegation to "pkg_mgr" in key manager metadata.' ) cct_common.checkformat_delegation(key_mgr_delegations['pkg_mgr']) # Doing delegation processing. cct_authentication.verify_delegation('pkg_mgr', signable, key_mgr) print('\n\nSuccess: signature over package metadata verified based on ' 'trusted key manager metadata.') # Additional scenario: tampered metadata / incorrectly signed package # Man-in-the-middle adds false dependency signable['signed']['depends'] += ['django'] try: cct_authentication.verify_delegation('pkg_mgr', signable, key_mgr) except cct_common.SignatureError: print( 'Modified metadata results in verification failure: attack prevented' ) else: assert False, 'Demo test failed.'