def register_vehicle(vin, primary_ecu_serial=None, overwrite=True):
I_TO_PRINT = TO_PRINT + uptane.YELLOW + '[register_vehicle()]: ' + uptane.ENDCOLORS
#TODO: Print to be removed
print(
str('%s %s %s %s %s %s %s' %
(I_TO_PRINT, 'Registering vehicle with vin:', vin,
'primary_ecu_serial:', primary_ecu_serial, 'overwrite:',
overwrite)))
#TODO: Until here
_check_registration_is_sane(vin)
if primary_ecu_serial is not None:
uptane.formats.ECU_SERIAL_SCHEMA.check_match(primary_ecu_serial)
tuf.formats.BOOLEAN_SCHEMA.check_match(overwrite)
if not overwrite and vin in ecus_by_vin:
raise uptane.Spoofing('The given VIN, ' + repr(vin) + ', is already '
'registered.')
ecus_by_vin[vin] = []
vehicle_manifests[vin] = []
primary_ecus_by_vin[vin] = primary_ecu_serial
#TODO: Print to be deleted
print(str('%s %s ' % (I_TO_PRINT, 'Returning ...')))
def validate_primary_certification_in_vehicle_manifest(
self, vin, primary_ecu_serial, vehicle_manifest):
"""
Check the Primary's signature on the Vehicle Manifest and any other data
the Primary is certifying, without diving into the individual ECU Manifests
in the Vehicle Manifest.
Raises an exception if there is an issue with the Primary's signature.
No return value.
"""
# If args don't match expectations, error out here.
log.info(
'Beginning validate_primary_certification_in_vehicle_manifest')
uptane.formats.VIN_SCHEMA.check_match(vin)
uptane.formats.ECU_SERIAL_SCHEMA.check_match(primary_ecu_serial)
uptane.formats.SIGNABLE_VEHICLE_VERSION_MANIFEST_SCHEMA.check_match(
vehicle_manifest)
if primary_ecu_serial != vehicle_manifest['signed'][
'primary_ecu_serial']:
raise uptane.Spoofing(
'Received a spoofed or mistaken vehicle manifest: '
'the supposed origin Primary ECU (' +
repr(primary_ecu_serial) + ') '
'is not the same as what is signed in the vehicle manifest itself '
+ '(' +
repr(vehicle_manifest['signed']['primary_ecu_serial']) + ').')
# TODO: Consider mechanism for fetching keys from inventorydb itself,
# rather than always registering them after Director svc starts up.
if primary_ecu_serial not in self.ecu_public_keys:
log.debug('Rejecting a vehicle manifest from a Primary ECU whose '
'key is not registered.')
# Raise a fault for the offending ECU's XMLRPC request.
raise uptane.UnknownECU(
'The Director is not aware of the given Primary '
'ECU Serial (' + repr(primary_ecu_serial) +
'. Manifest rejected. If '
'the ECU is new, Register the new ECU with its key in order to be '
'able to submit its manifests.')
ecu_public_key = self.ecu_public_keys[primary_ecu_serial]
valid = tuf.keys.verify_signature(
ecu_public_key,
vehicle_manifest['signatures'][0], # TODO: Fix assumptions.
vehicle_manifest['signed'])
if not valid:
log.debug(
'Rejecting a vehicle manifest because the Primary signature on it is '
'not valid.It must be correctly signed by the expected Primary ECU '
'key.')
# Raise a fault for the offending ECU's XMLRPC request.
raise tuf.BadSignatureError(
'Sender supplied an invalid signature. '
'Vehicle Manifest is questionable; discarding. If you see this '
'persistently, it is possible that there is a man in the middle '
'attack or misconfiguration.')
def register_vehicle(vin):
vins = Vehicle.objects.filter(identifier=vin)
if len(vins) == 0:
newvin = Vehicle(identifier=vin, )
newvin.save()
else:
raise uptane.Spoofing('The given VIN, ' + repr(vin) + ', is already '
'registered.')
def register_ecu(is_primary, vin, ecu_serial, public_key):
tuf.formats.BOOLEAN_SCHEMA.check_match(is_primary)
uptane.formats.VIN_SCHEMA.check_match(vin)
uptane.formats.ECU_SERIAL_SCHEMA.check_match(ecu_serial)
tuf.formats.ANYKEY_SCHEMA.check_match(public_key)
ecus = Ecu.objects.filter(vehicle_id=vin)
for ecu in ecus:
if is_primary and ecu.primary:
raise uptane.Spoofing('The given VIN, ' + repr(vin) +
', is already '
'associated with a Primary ECU.')
if ecu.identifier == ecu_serial:
raise uptane.Spoofing('The given ECU Serial, ' + repr(ecu_serial) +
', is already associated with a public key.')
check_vin_registered(vin)
newecu = Ecu(identifier=ecu_serial,
public_key=json.dumps(public_key),
primary=is_primary,
vehicle_id=Vehicle.objects.get(identifier=vin))
newecu.save()
def validate_ecu_manifest(self, ecu_serial, signed_ecu_manifest):
"""
Arguments:
ecuid: uptane.formats.ECU_SERIAL_SCHEMA
manifest: uptane.formats.SIGNABLE_ECU_VERSION_MANIFEST_SCHEMA
"""
uptane.formats.SIGNABLE_ECU_VERSION_MANIFEST_SCHEMA.check_match(
signed_ecu_manifest)
# If it doesn't match expectations, error out here.
if ecu_serial != signed_ecu_manifest['signed']['ecu_serial']:
raise uptane.Spoofing(
'Received a spoofed or mistaken manifest: supposed '
'origin ECU (' + repr(ecu_serial) +
') is not the same as what is '
'signed in the manifest itself (' +
repr(signed_ecu_manifest['signed']['ecu_serial']) + ').')
# TODO: Consider mechanism for fetching keys from inventorydb itself,
# rather than always registering them after Director svc starts up.
if ecu_serial not in self.ecu_public_keys:
log.info('Validation failed on an ECU Manifest: ECU ' +
repr(ecu_serial) + ' is not registered.')
# Raise a fault for the offending ECU's XMLRPC request.
raise uptane.UnknownECU(
'The Director is not aware of the given ECU '
'SERIAL (' + repr(ecu_serial) +
'. Manifest rejected. If the ECU is '
'new, Register the new ECU with its key in order to be able to '
'submit its manifests.')
ecu_public_key = self.ecu_public_keys[ecu_serial]
valid = tuf.keys.verify_signature(
ecu_public_key,
signed_ecu_manifest['signatures'][0], # TODO: Fix assumptions.
signed_ecu_manifest['signed'])
if not valid:
log.info(
'Validation failed on an ECU Manifest: signature is not valid. It'
'It must be correctly signed by the expected key for that ECU.'
)
# Raise a fault for the offending ECU's XMLRPC request.
raise tuf.BadSignatureError(
'Sender supplied an invalid signature. '
'ECU Manifest is unacceptable. If you see this persistently, it is'
'possible that the Primary is compromised or that there is a man in '
'the middle attack or misconfiguration.')
def validate_ecu_manifest(self, ecu_serial, signed_ecu_manifest):
"""
Arguments:
ecuid: uptane.formats.ECU_SERIAL_SCHEMA
manifest: uptane.formats.SIGNABLE_ECU_VERSION_MANIFEST_SCHEMA
"""
uptane.formats.ECU_SERIAL_SCHEMA.check_match(ecu_serial)
uptane.formats.SIGNABLE_ECU_VERSION_MANIFEST_SCHEMA.check_match(
signed_ecu_manifest)
# If it doesn't match expectations, error out here.
if ecu_serial != signed_ecu_manifest['signed']['ecu_serial']:
raise uptane.Spoofing(
'Received a spoofed or mistaken manifest: supposed '
'origin ECU (' + repr(ecu_serial) +
') is not the same as what is '
'signed in the manifest itself (' +
repr(signed_ecu_manifest['signed']['ecu_serial']) + ').')
if ecu_serial not in inventory.ecu_public_keys:
log.info('Validation failed on an ECU Manifest: ECU ' +
repr(ecu_serial) + ' is not registered.')
raise uptane.UnknownECU(
'The Director is not aware of the given ECU '
'SERIAL (' + repr(ecu_serial) +
'. Manifest rejected. If the ECU is '
'new, Register the new ECU with its key in order to be able to '
'submit its manifests.')
ecu_public_key = inventory.ecu_public_keys[ecu_serial]
valid = uptane.common.verify_signature_over_metadata(
ecu_public_key,
signed_ecu_manifest['signatures']
[0], # TODO: Fix single-signature assumption
signed_ecu_manifest['signed'],
DATATYPE_ECU_MANIFEST)
if not valid:
log.info(
'Validation failed on an ECU Manifest: signature is not valid. '
'It must be correctly signed by the expected key for that ECU.'
)
raise tuf.BadSignatureError(
'Sender supplied an invalid signature. '
'ECU Manifest is unacceptable. If you see this persistently, it is '
'possible that the Primary is compromised or that there is a man in '
'the middle attack or misconfiguration.')
def register_vehicle(vin, primary_ecu_serial=None, overwrite=True):
_check_registration_is_sane(vin)
if primary_ecu_serial is not None:
uptane.formats.ECU_SERIAL_SCHEMA.check_match(primary_ecu_serial)
tuf.formats.BOOLEAN_SCHEMA.check_match(overwrite)
if not overwrite and vin in ecus_by_vin:
raise uptane.Spoofing('The given VIN, ' + repr(vin) + ', is already '
'registered.')
ecus_by_vin[vin] = []
vehicle_manifests[vin] = []
primary_ecus_by_vin[vin] = primary_ecu_serial
def register_ecu_serial(self, ecu_serial, ecu_key):
uptane.formats.ECU_SERIAL_SCHEMA.check_match(ecu_serial)
tuf.formats.ANYKEY_SCHEMA.check_match(ecu_key)
if ecu_serial in self.ecu_public_keys:
log.error(
RED +
'Rejecting an attempt to register a public key to an ECU '
'Serial when that ECU Serial already has a public key registered to '
'it.' + ENDCOLORS)
raise uptane.Spoofing(
'This ecu_serial has already been registered. '
'Rejecting registration request.')
else:
self.ecu_public_keys[ecu_serial] = ecu_key
log.info(GREEN + ' Registered a new ECU:\n ECU Serial: ' +
repr(ecu_serial) + '\n ECU Key: ' + repr(ecu_key) +
'\n' + ENDCOLORS)
def register_ecu(is_primary, vin, ecu_serial, public_key, overwrite=True):
"""
Registers the ECU with the given ECU Serial, saving its public key, making
note of the vehicle with which it is associated, and, if is_primary is True,
marks it as the Primary ECU for the vehicle.
Also registers the given VIN if it was not previously known (creating
appropriate entries in the global dictionaries).
If overwrite is False:
if it is given an already-known ECU Serial, or if is_primary is True and
the given VIN is already associated with a Primary ECU, raises an
uptane.Spoofing exception.
If overwrite is True:
if given an already-known ECU Serial, will overwrite the previously
registered public key and delete existing ECU Manifests for that ECU Serial.
if given an already-known VIN that is already associated with a Primary
ECU, it will associate the new ECU as the VIN's Primary.
This can orphan previously-Primary ECUs:
If a new ECU is registered as the Primary for a known vehicle that already
had a Primary, the old Primary ECU will still be kept as a known ECU,
along with all its ECU Manifests, and its association with the VIN is not
removed, but it is no longer marked as the Primary for that VIN.
Will not add the same ECU Serial to a vehicle's list of ECUs
(ecus_by_vin[vin]) twice.
"""
I_TO_PRINT = TO_PRINT + uptane.YELLOW + '[register_ecu(is_primary, vin, ecu_serial, public_key, overwrite)]: ' + uptane.ENDCOLORS
#TODO: Print to be removed
print(
str('%s %s %s %s %s %s %s %s %s' %
(I_TO_PRINT, 'Registering ECU with ecu_serial:', ecu_serial,
'for vehicle vin:', vin, 'is_primary:', is_primary, 'overwrite:',
overwrite)))
#TODO: Until here
tuf.formats.BOOLEAN_SCHEMA.check_match(is_primary)
uptane.formats.VIN_SCHEMA.check_match(vin)
uptane.formats.ECU_SERIAL_SCHEMA.check_match(ecu_serial)
tuf.formats.ANYKEY_SCHEMA.check_match(public_key)
tuf.formats.BOOLEAN_SCHEMA.check_match(overwrite)
assert (ecu_serial in ecu_public_keys) == (ecu_serial in ecu_manifests), \
'Programming error: ECU registration is not consistent.'
if not overwrite:
#TODO: TO BE ENTIRELY DELETED, MY CHECKINGS!
if vin in primary_ecus_by_vin and is_primary:
print('%s %s %s %s %s' %
(I_TO_PRINT, '[OK] Vin:', vin, 'in primary_ecus_by_vin:',
primary_ecus_by_vin))
else:
print('%s %s %s %s %s' %
(I_TO_PRINT, '[NOK] Vin:', vin,
'not in primary_ecus_by_vin:', primary_ecus_by_vin))
if not ecu_serial in ecu_public_keys:
print('%s %s %s %s %s %s' %
(I_TO_PRINT, '[OK] ecu_serial:', ecu_serial,
'not in ecu_public_keys:', ecu_public_keys,
'no registered yet to public key'))
else:
print('%s %s %s %s %s %s' %
(I_TO_PRINT, '[NOK] ecu_serial:', ecu_serial,
'in ecu_public_keys:', ecu_public_keys,
'already registered to public key'))
# If we aren't supposed to be overwriting public keys or Primary
# associations, make sure we don't.
if is_primary and vin in primary_ecus_by_vin and \
primary_ecus_by_vin[vin] is not None:
#TODO: Print to be deleted
print(
str('%s %s' %
(I_TO_PRINT,
"ERROR! primary_ecus_by_vin[vin] is not NONE!")))
#TODO: Until here
raise uptane.Spoofing('The given VIN, ' + repr(vin) +
', is already '
'associated with a Primary ECU.')
if ecu_serial in ecu_public_keys:
#TODO: Print to be deleted
print(
str('%s %s' %
(I_TO_PRINT,
"ERROR! ecu_serial already in ecu_public_keys!")))
#TODO: Until here
raise uptane.Spoofing('The given ECU Serial, ' + repr(ecu_serial) +
', is already associated with a public key.')
# It is expected that the vehicle to which this ECU belongs is already
# registered.
check_vin_registered(vin)
# Associate the ECU with the vehicle.
if ecu_serial not in ecus_by_vin[vin]:
ecus_by_vin[vin].append(ecu_serial)
else:
#TODO: Print to be deleted
print(
str('%s %s %s' %
(I_TO_PRINT,
"[!] - ecu_serial is already in ecus_by_vin[vin], vin:",
vin)))
#TODO: Until here
if is_primary:
# Set the ECU as the vehicle's Primary ECU.
primary_ecus_by_vin[vin] = ecu_serial
# Save the ECU's public key.
ecu_public_keys[ecu_serial] = public_key
# Create an entry in the ecu_manifests dictionary for future manifests from
# the ECU.
ecu_manifests[ecu_serial] = []
#TODO: Print to be deleted
print(
'\nvehicle_manifests: %s\necu_manifests: %s\nprimary_ecus_by_vin: %s\necus_by_vin: %s\necu_public_keys: %s\n'
% (vehicle_manifests, ecu_manifests, primary_ecus_by_vin, ecus_by_vin,
ecu_public_keys))
#TODO: Until here
#TODO: Print to be deleted
print(str('%s %s ' % (I_TO_PRINT, 'Returning ...')))
def validate_primary_certification_in_vehicle_manifest(
self, vin, primary_ecu_serial, vehicle_manifest):
"""
Check the Primary's signature on the Vehicle Manifest and any other data
the Primary is certifying, without diving into the individual ECU Manifests
in the Vehicle Manifest.
Raises an exception if there is an issue with the Primary's signature.
No return value.
"""
# If args don't match expectations, error out here.
log.info(
'Beginning validate_primary_certification_in_vehicle_manifest')
uptane.formats.VIN_SCHEMA.check_match(vin)
uptane.formats.ECU_SERIAL_SCHEMA.check_match(primary_ecu_serial)
uptane.formats.SIGNABLE_VEHICLE_VERSION_MANIFEST_SCHEMA.check_match(
vehicle_manifest)
if primary_ecu_serial != vehicle_manifest['signed'][
'primary_ecu_serial']:
raise uptane.Spoofing(
'Received a spoofed or mistaken vehicle manifest: '
'the supposed origin Primary ECU (' +
repr(primary_ecu_serial) + ') '
'is not the same as what is signed in the vehicle manifest itself '
+ '(' +
repr(vehicle_manifest['signed']['primary_ecu_serial']) + ').')
# # TODO: Consider mechanism for fetching keys from inventorydb itself,
# # rather than always registering them after Director svc starts up.
# if primary_ecu_serial not in inventory.ecu_public_keys:
# log.debug(
# 'Rejecting a vehicle manifest from a Primary ECU whose '
# 'key is not registered.')
# raise uptane.UnknownECU('The Director is not aware of the given Primary '
# 'ECU Serial (' + repr(primary_ecu_serial) + '. Manifest rejected. If '
# 'the ECU is new, Register the new ECU with its key in order to be '
# 'able to submit its manifests.')
ecu_public_key = inventory.get_ecu_public_key(primary_ecu_serial)
# Here, we check to see if the key that signed the Vehicle Manifest is the
# same key as ecu_public_key (the one the director expects), so that we can
# generate a more informative error, allowing user/debugger to distinguish
# between a bad signature ostensibly from the right key and a signature
# from the wrong key.
# TODO: Fix(?) assumption that one signature is used below.
keyid_used_in_signature = vehicle_manifest['signatures'][0]['keyid']
# Note, though, that there could be some edge cases here that the TUF code
# might actually resolve: for example, if the keyid hash algorithm used
# in the signature is not the same one as the one used in the key listing,
# this check would provide a false failure. So we don't raise an error here,
# and instead just log this difference and let the final arbiter of the
# validity of the signature be the dedicated code in tuf.keys.
if keyid_used_in_signature != ecu_public_key['keyid']:
log.info(
'Key used to sign Vehicle Manifest has a different keyid from that '
'listed in the inventory DB. Expect signature validation to fail, '
'unless the key is the same but the keyid differently hashed. '
'Expected keyid: ' + repr(ecu_public_key['keyid']) +
'; keyid used '
'in signature: ' + repr(keyid_used_in_signature))
if tuf.conf.METADATA_FORMAT == 'der':
# To check the signature, we have to make sure to encode the data as it
# was when the signature was made. If we're using ASN.1/DER as the
# data format/encoding, then we convert the 'signed' portion of the data
# back to ASN.1/DER to check it.
# Further, since for ASN.1/DER, a SHA256 hash is taken of the data and
# *that* is what is signed, we perform that hashing as well and retrieve
# the raw binary digest.
data_to_check = asn1_codec.convert_signed_metadata_to_der(
vehicle_manifest, DATATYPE_VEHICLE_MANIFEST, only_signed=True)
data_to_check = hashlib.sha256(data_to_check).digest()
else:
data_to_check = vehicle_manifest['signed']
valid = uptane.common.verify_signature_over_metadata(
ecu_public_key,
vehicle_manifest['signatures'][0], # TODO: Fix assumptions.
vehicle_manifest['signed'],
DATATYPE_VEHICLE_MANIFEST)
if not valid:
log.debug(
'Rejecting a vehicle manifest because the Primary signature on it is '
'not valid. It must be correctly signed by the expected Primary ECU '
'key.')
raise tuf.BadSignatureError(
'Sender supplied an invalid signature. '
'Vehicle Manifest is questionable; discarding. If you see this '
'persistently, it is possible that there is a man in the middle '
'attack or misconfiguration.')
def register_ecu(is_primary, vin, ecu_serial, public_key, overwrite=True):
"""
Registers the ECU with the given ECU Serial, saving its public key, making
note of the vehicle with which it is associated, and, if is_primary is True,
marks it as the Primary ECU for the vehicle.
Also registers the given VIN if it was not previously known (creating
appropriate entries in the global dictionaries).
If overwrite is False:
if it is given an already-known ECU Serial, or if is_primary is True and
the given VIN is already associated with a Primary ECU, raises an
uptane.Spoofing exception.
If overwrite is True:
if given an already-known ECU Serial, will overwrite the previously
registered public key and delete existing ECU Manifests for that ECU Serial.
if given an already-known VIN that is already associated with a Primary
ECU, it will associate the new ECU as the VIN's Primary.
This can orphan previously-Primary ECUs:
If a new ECU is registered as the Primary for a known vehicle that already
had a Primary, the old Primary ECU will still be kept as a known ECU,
along with all its ECU Manifests, and its association with the VIN is not
removed, but it is no longer marked as the Primary for that VIN.
Will not add the same ECU Serial to a vehicle's list of ECUs
(ecus_by_vin[vin]) twice.
"""
tuf.formats.BOOLEAN_SCHEMA.check_match(is_primary)
uptane.formats.VIN_SCHEMA.check_match(vin)
uptane.formats.ECU_SERIAL_SCHEMA.check_match(ecu_serial)
tuf.formats.ANYKEY_SCHEMA.check_match(public_key)
tuf.formats.BOOLEAN_SCHEMA.check_match(overwrite)
assert (ecu_serial in ecu_public_keys) == (ecu_serial in ecu_manifests), \
'Programming error: ECU registration is not consistent.'
if not overwrite:
# If we aren't supposed to be overwriting public keys or Primary
# associations, make sure we don't.
if is_primary and vin in primary_ecus_by_vin and \
primary_ecus_by_vin[vin] is not None:
raise uptane.Spoofing('The given VIN, ' + repr(vin) +
', is already '
'associated with a Primary ECU.')
if ecu_serial in ecu_public_keys:
raise uptane.Spoofing('The given ECU Serial, ' + repr(ecu_serial) +
', is already associated with a public key.')
# Register the VIN if it is unknown.
# No VIN should ever be in only one or the other of ecus_by_vin or
# vehicle_manifests, or there is a bug.
if vin not in ecus_by_vin:
register_vehicle(vin, overwrite=overwrite)
# Associate the ECU with the vehicle.
if ecu_serial not in ecus_by_vin[vin]:
ecus_by_vin[vin].append(ecu_serial)
if is_primary:
# Set the ECU as the vehicle's Primary ECU.
primary_ecus_by_vin[vin] = ecu_serial
# Save the ECU's public key.
ecu_public_keys[ecu_serial] = public_key
# Create an entry in the ecu_manifests dictionary for future manifests from
# the ECU.
ecu_manifests[ecu_serial] = []
