def create_key_mgr(self, keys):
private_key_key_mgr = cct_common.PrivateKey.from_hex(
keys["key_mgr"][0]["private"])
pkg_mgr_pub_keys = [k["public"] for k in keys["pkg_mgr"]]
key_mgr = cct_metadata_construction.build_delegating_metadata(
metadata_type="key_mgr", # 'root' or 'key_mgr'
delegations={
"pkg_mgr": {
"pubkeys": pkg_mgr_pub_keys,
"threshold": 1
}
},
version=1,
# timestamp default: now
# expiration default: now plus root expiration default duration
)
key_mgr = cct_signing.wrap_as_signable(key_mgr)
# sign dictionary in place
cct_signing.sign_signable(key_mgr, private_key_key_mgr)
key_mgr_serialized = cct_common.canonserialize(key_mgr)
with open(self.folder / "key_mgr.json", "wb") as fobj:
fobj.write(key_mgr_serialized)
# let's run a verification
root_metadata = cct_common.load_metadata_from_file(self.folder /
"1.root.json")
key_mgr_metadata = cct_common.load_metadata_from_file(self.folder /
"key_mgr.json")
cct_common.checkformat_signable(root_metadata)
if "delegations" not in root_metadata["signed"]:
raise ValueError('Expected "delegations" entry in root metadata.')
root_delegations = root_metadata["signed"][
"delegations"] # for brevity
cct_common.checkformat_delegations(root_delegations)
if "key_mgr" not in root_delegations:
raise ValueError(
'Missing expected delegation to "key_mgr" in root metadata.')
cct_common.checkformat_delegation(root_delegations["key_mgr"])
# Doing delegation processing.
cct_authentication.verify_delegation("key_mgr", key_mgr_metadata,
root_metadata)
console.print(
"[green]Success: key mgr metadata verified based on root metadata."
)
return key_mgr
def demo_verify_key_mgr_using_root(key_mgr_metadata, root_metadata):
# Some argument validation
cct_common.checkformat_signable(root_metadata)
if 'delegations' not in root_metadata['signed']:
raise ValueError('Expected "delegations" entry in root metadata.')
root_delegations = root_metadata['signed']['delegations'] # for brevity
cct_common.checkformat_delegations(root_delegations)
if 'key_mgr' not in root_delegations:
raise ValueError(
'Missing expected delegation to "key_mgr" in root metadata.')
cct_common.checkformat_delegation(root_delegations['key_mgr'])
# Doing delegation processing.
cct_authentication.verify_delegation('key_mgr', key_mgr_metadata,
root_metadata)
print('\n-- Success: key mgr metadata verified based on root metadata.')
def demo_verify_pkg_sig_via_key_mgr(key_mgr):
packages = {
"pytorch-1.2.0-cuda92py27hd3e106c_0.tar.bz2": {
"build":
"cuda92py27hd3e106c_0",
"build_number":
0,
"depends": [
"_pytorch_select 0.2", "blas 1.0 mkl", "cffi",
"cudatoolkit 9.2.*", "cudnn >=7.3.0,<=8.0a0", "future",
"libgcc-ng >=7.3.0", "libstdcxx-ng >=7.3.0",
"mkl >=2019.4,<2021.0a0", "mkl-service >=2,<3.0a0", "ninja",
"numpy >=1.11.3,<2.0a0", "python >=2.7,<2.8.0a0"
],
"license":
"BSD 3-Clause",
"license_family":
"BSD",
"md5":
"793c6af90ed62c964e28b046e0b071c6",
"name":
"pytorch",
"sha256":
"a53f772a224485df7436d4b2aa2c5d44e249e2fb43eee98831eeaaa51a845697",
"size":
282176733,
"subdir":
"linux-64",
"timestamp":
1566783471689,
"version":
"1.2.0"
}
}
print('\n\n\nHere is a sample package entry from repodata.json:')
from pprint import pprint
pprint(packages)
junk = input_func('\n\nNext: sign it with the pkg_mgr key.')
signable = cct_signing.wrap_as_signable(
packages['pytorch-1.2.0-cuda92py27hd3e106c_0.tar.bz2'])
# Sign in place.
cct_signing.sign_signable(
signable,
cct_common.PrivateKey.from_hex(
'f3cdab14740066fb277651ec4f96b9f6c3e3eb3f812269797b9656074cd52133')
)
print('Signed envelope around this pytorch package metadata:\n\n')
pprint(signable)
junk = input_func(
'\n\nNext: verify the signature based on what the now-trusted '
'key manager role told us to expect.\n')
# Some argument validation for the key manager role.
cct_common.checkformat_signable(key_mgr)
if 'delegations' not in key_mgr['signed']:
raise ValueError(
'Expected "delegations" entry in key manager metadata.')
key_mgr_delegations = key_mgr['signed']['delegations'] # for brevity
cct_common.checkformat_delegations(key_mgr_delegations)
if 'pkg_mgr' not in key_mgr_delegations:
raise ValueError(
'Missing expected delegation to "pkg_mgr" in key manager metadata.'
)
cct_common.checkformat_delegation(key_mgr_delegations['pkg_mgr'])
# Doing delegation processing.
cct_authentication.verify_delegation('pkg_mgr', signable, key_mgr)
print('\n\nSuccess: signature over package metadata verified based on '
'trusted key manager metadata.')
# Additional scenario: tampered metadata / incorrectly signed package
# Man-in-the-middle adds false dependency
signable['signed']['depends'] += ['django']
try:
cct_authentication.verify_delegation('pkg_mgr', signable, key_mgr)
except cct_common.SignatureError:
print(
'Modified metadata results in verification failure: attack prevented'
)
else:
assert False, 'Demo test failed.'