def test_generate_and_write_ed25519_keypair(self):
# Test normal case.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
test_keypath = os.path.join(temporary_directory, 'ed25519_key')
interface.generate_and_write_ed25519_keypair(test_keypath, password='******')
self.assertTrue(os.path.exists(test_keypath))
self.assertTrue(os.path.exists(test_keypath + '.pub'))
# Ensure the generated key files are importable.
imported_pubkey = \
interface.import_ed25519_publickey_from_file(test_keypath + '.pub')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_pubkey))
imported_privkey = \
interface.import_ed25519_privatekey_from_file(test_keypath, 'pw')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_privkey))
# Test improperly formatted arguments.
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.generate_and_write_ed25519_keypair, 3, password='******')
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.generate_and_write_rsa_keypair, test_keypath, password=3)
def test_import_ed25519_privatekey_from_file(self):
# Test normal case.
# Generate ed25519 keys that can be imported.
scheme = 'ed25519'
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key')
interface.generate_and_write_ed25519_keypair(ed25519_keypath, password='******')
imported_ed25519_key = \
interface.import_ed25519_privatekey_from_file(ed25519_keypath, 'pw')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key))
# Test improperly formatted argument.
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.import_ed25519_privatekey_from_file, 3, 'pw')
# Test invalid argument.
# Non-existent key file.
nonexistent_keypath = os.path.join(temporary_directory,
'nonexistent_keypath')
self.assertRaises(IOError, interface.import_ed25519_privatekey_from_file,
nonexistent_keypath, 'pw')
# Invalid key file argument.
invalid_keyfile = os.path.join(temporary_directory, 'invalid_keyfile')
with open(invalid_keyfile, 'wb') as file_object:
file_object.write(b'bad keyfile')
self.assertRaises(securesystemslib.exceptions.Error,
interface.import_ed25519_privatekey_from_file, invalid_keyfile, 'pw')
# Invalid private key imported (contains unexpected keytype.)
imported_ed25519_key['keytype'] = 'invalid_keytype'
# Use 'pyca_crypto_keys.py' to bypass the key format validation performed
# by 'keys.py'.
salt, iterations, derived_key = \
securesystemslib.pyca_crypto_keys._generate_derived_key('pw')
# Store the derived key info in a dictionary, the object expected
# by the non-public _encrypt() routine.
derived_key_information = {'salt': salt, 'iterations': iterations,
'derived_key': derived_key}
# Convert the key object to json string format and encrypt it with the
# derived key.
encrypted_key = \
securesystemslib.pyca_crypto_keys._encrypt(json.dumps(imported_ed25519_key),
derived_key_information)
with open(ed25519_keypath, 'wb') as file_object:
file_object.write(encrypted_key.encode('utf-8'))
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.import_ed25519_privatekey_from_file, ed25519_keypath, 'pw')
def write_keypair(keystore_dir: str, functionary: str, i: int = 1, n: int = 1, passphrase: Optional[str] = None) -> Keypath:
private_keypath = get_new_private_keypath(keystore_dir, functionary, i)
assert not os.path.isfile(private_keypath)
public_keypath = get_public_keypath(private_keypath)
assert not os.path.isfile(public_keypath)
# Make the keystore directory, WR-only by self, if not already there.
os.makedirs(keystore_dir, mode=0o700, exist_ok=True)
generate_and_write_ed25519_keypair(private_keypath, password=passphrase)
return Keypath(private_keypath, public_keypath)
def test_import_ed25519_publickey_from_file(self):
# Test normal case.
# Generate ed25519 keys that can be imported.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key')
interface.generate_and_write_ed25519_keypair(ed25519_keypath,
password='******')
imported_ed25519_key = \
interface.import_ed25519_publickey_from_file(ed25519_keypath + '.pub')
self.assertTrue(
securesystemslib.formats.ED25519KEY_SCHEMA.matches(
imported_ed25519_key))
# Test improperly formatted argument.
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.import_ed25519_publickey_from_file, 3)
# Test invalid argument.
# Non-existent key file.
nonexistent_keypath = os.path.join(temporary_directory,
'nonexistent_keypath')
self.assertRaises(IOError,
interface.import_ed25519_publickey_from_file,
nonexistent_keypath)
# Invalid key file argument.
invalid_keyfile = os.path.join(temporary_directory, 'invalid_keyfile')
with open(invalid_keyfile, 'wb') as file_object:
file_object.write(b'bad keyfile')
self.assertRaises(securesystemslib.exceptions.Error,
interface.import_ed25519_publickey_from_file,
invalid_keyfile)
# Invalid public key imported (contains unexpected keytype.)
keytype = imported_ed25519_key['keytype']
keyval = imported_ed25519_key['keyval']
scheme = imported_ed25519_key['scheme']
ed25519key_metadata_format = \
securesystemslib.keys.format_keyval_to_metadata(keytype, scheme,
keyval, private=False)
ed25519key_metadata_format['keytype'] = 'invalid_keytype'
with open(ed25519_keypath + '.pub', 'wb') as file_object:
file_object.write(
json.dumps(ed25519key_metadata_format).encode('utf-8'))
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.import_ed25519_publickey_from_file,
ed25519_keypath + '.pub')
def set_up_keys(cls):
# Generated unencrypted keys
cls.rsa_key_path = generate_and_write_unencrypted_rsa_keypair()
cls.rsa_key_id = os.path.basename(cls.rsa_key_path)
cls.ed25519_key_path = generate_and_write_unencrypted_ed25519_keypair()
cls.ed25519_key_id = os.path.basename(cls.ed25519_key_path)
# Generate encrypted keys
cls.rsa_key_enc_path = generate_and_write_rsa_keypair(password=cls.key_pw)
cls.rsa_key_enc_id = os.path.basename(cls.rsa_key_enc_path)
cls.ed25519_key_enc_path = generate_and_write_ed25519_keypair(password=cls.key_pw)
cls.ed25519_key_enc_id = os.path.basename(cls.ed25519_key_enc_path)
def test_generate_and_write_ed25519_keypair(self):
# Test normal case.
temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory)
test_keypath = os.path.join(temporary_directory, 'ed25519_key')
test_keypath_unencrypted = os.path.join(temporary_directory,
'ed25519_key_unencrypted')
returned_path = interface.generate_and_write_ed25519_keypair(
test_keypath, password='******')
self.assertTrue(os.path.exists(test_keypath))
self.assertTrue(os.path.exists(test_keypath + '.pub'))
self.assertEqual(returned_path, test_keypath)
# If an empty string is given for 'password', the private key file
# is written to disk unencrypted.
interface.generate_and_write_ed25519_keypair(test_keypath_unencrypted,
password='')
self.assertTrue(os.path.exists(test_keypath_unencrypted))
self.assertTrue(os.path.exists(test_keypath_unencrypted + '.pub'))
# Ensure the generated key files are importable.
imported_pubkey = \
interface.import_ed25519_publickey_from_file(test_keypath + '.pub')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA\
.matches(imported_pubkey))
imported_privkey = \
interface.import_ed25519_privatekey_from_file(test_keypath, 'pw')
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA\
.matches(imported_privkey))
# Fail importing encrypted key passing password and prompt
with self.assertRaises(ValueError):
interface.import_ed25519_privatekey_from_file(test_keypath,
password='******',
prompt=True)
# Fail importing encrypted key passing an empty string for passwd
with self.assertRaises(ValueError):
interface.import_ed25519_privatekey_from_file(test_keypath,
password='')
# Try to import the unencrypted key file, by not passing a password
imported_privkey = \
interface.import_ed25519_privatekey_from_file(test_keypath_unencrypted)
self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.\
matches(imported_privkey))
# Try to import the unencrypted key file, by entering an empty password
with mock.patch('securesystemslib.interface.get_password',
return_value=''):
imported_privkey = \
interface.import_ed25519_privatekey_from_file(test_keypath_unencrypted,
prompt=True)
self.assertTrue(
securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_privkey))
# Fail importing unencrypted key passing a password
with self.assertRaises(securesystemslib.exceptions.CryptoError):
interface.import_ed25519_privatekey_from_file(test_keypath_unencrypted,
'pw')
# Fail importing encrypted key passing no password
with self.assertRaises(securesystemslib.exceptions.CryptoError):
interface.import_ed25519_privatekey_from_file(test_keypath)
# Test for a default filepath. If 'filepath' is not given, the key's
# KEYID is used as the filename. The key is saved to the current working
# directory.
default_keypath = interface.generate_and_write_ed25519_keypair(password='******')
self.assertTrue(os.path.exists(default_keypath))
self.assertTrue(os.path.exists(default_keypath + '.pub'))
written_key = interface.import_ed25519_publickey_from_file(default_keypath + '.pub')
self.assertEqual(written_key['keyid'], os.path.basename(default_keypath))
os.remove(default_keypath)
os.remove(default_keypath + '.pub')
# Test improperly formatted arguments.
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.generate_and_write_ed25519_keypair, 3, password='******')
self.assertRaises(securesystemslib.exceptions.FormatError,
interface.generate_and_write_rsa_keypair, test_keypath, password=3)
def init_keys():
if not os.path.isfile(KEY_NAME):
generate_and_write_ed25519_keypair(KEY_NAME, password=PASSWORD)
