def in_toto_verify(layout_path, layout_key_paths): """Loads layout file and layout keys from disk and performs all in-toto verifications.""" try: log.doing("load layout...") layout = Layout.read_from_file(layout_path) except Exception, e: _die("in load layout - %s" % e)
def toto_verify(layout_path, layout_key): global retval # Load layout (validates format) try: log.doing("'%s' - load layout" % layout_path) layout = toto.models.layout.Layout.read_from_file(layout_path) except Exception, e: log.error("in load layout - %s" % e) return 1 # TODO: re-raise?
def in_toto_run(step_name, key_path, material_list, product_list, link_cmd_args, record_byproducts=False): """Load link signing private keys from disk and runs passed command, storing its materials, by-products and return value, and products into link metadata file. The link metadata file is signed and stored to disk. """ try: log.doing("load link signing key...") key = toto.util.prompt_import_rsa_key_from_file(key_path) except Exception, e: _die("in load key - %s" % e)
def in_toto_run(step_name, key_path, material_list, product_list, link_cmd_args, record_byproducts=False): """Load link signing private keys from disk and runs passed command, storing its materials, by-products and return value, and products into link metadata file. The link metadata file is signed and stored to disk. """ if tpm.readFromTPM(23) == str(0): tpm.set_register_23() log.doing("TPM: First time running - creating entry for register 23.") elif tpm.check_register_23(): log.doing("TPM: Check passed.") else: log.doing("TPM: Check failed. Exiting.") sys.exit() """ if tpm.initialize_register_23(): log.doing("TPM check passed.") else: log.doing("TPM check failed, exiting.") sys.exit() """ try: log.doing("load link signing key...") key = toto.util.prompt_import_rsa_key_from_file(key_path) except Exception, e: _die("in load key - %s" % e)
def _verify_rules(rules, source_type, item_name, item_link, step_links): """ Iterates over list of rules and calls verify on them. """ global retval for rule_data in rules: try: rule = toto.models.matchrule.Matchrule.read(rule_data) rule.source_type = source_type log.doing("'%s' - '%s' - verify %s matchrule - %s" \ % (layout_path, item_name, source_type, rule_data)) rule.verify_rule(item_link, step_links) except toto.models.matchrule.RuleVerficationFailed, e: log.failing("'%s' - '%s' - verify %s matchrule - %s" \ % (layout_path, item_name, source_type, e)) retval = 1 except Exception, e: log.error("in verify matchrule - %s" % e)
def in_toto_verify(layout_path, layout_key_paths): try: log.doing("load layout...") layout = Layout.read_from_file(layout_path) except Exception, e: _die("in load layout - %s" % e)
def _die(msg, exitcode=1): log.failing(msg) log.doing("Stopping installation process.") sys.exit(exitcode)
self.successfully_installed = to_install def _die(msg, exitcode=1): log.failing(msg) log.doing("Stopping installation process.") sys.exit(exitcode) def in_toto_verify(layout_path, layout_key_paths): try: log.doing("load layout...") layout = Layout.read_from_file(layout_path) except Exception, e: _die("in load layout - %s" % e) try: log.doing("verify layout expiration") toto.verifylib.verify_layout_expiration(layout) except Exception, e: _die("in verify layout expiration - %s" % e) try: log.doing("load layout keys...") layout_key_dict = toto.util.import_rsa_public_keys_from_files_as_dict( layout_key_paths) except Exception, e: _die("in load layout keys - %s" % e) try: log.doing("verify layout signatures...") toto.verifylib.verify_layout_signatures(layout, layout_key_dict) except Exception, e:
key_path, material_list, product_list, link_cmd_args, record_byproducts=False): """Load link signing private keys from disk and runs passed command, storing its materials, by-products and return value, and products into link metadata file. The link metadata file is signed and stored to disk. """ try: log.doing("load link signing key...") key = toto.util.prompt_import_rsa_key_from_file(key_path) except Exception, e: _die("in load key - %s" % e) try: log.doing("record materials...") materials_dict = toto.runlib.record_artifacts_as_dict(material_list) except Exception, e: _die("in record materials - %s" % e) try: log.doing("run command...") byproducts, return_value = toto.runlib.execute_link( link_cmd_args, record_byproducts) except Exception, e: _die("in run command - %s" % e) try: log.doing("record products...") products_dict = toto.runlib.record_artifacts_as_dict(product_list) except Exception, e:
retval = 0 def toto_verify(layout_path, layout_key): global retval # Load layout (validates format) try: log.doing("'%s' - load layout" % layout_path) layout = toto.models.layout.Layout.read_from_file(layout_path) except Exception, e: log.error("in load layout - %s" % e) return 1 # TODO: re-raise? try: log.doing("'%s' - load key '%s'" % (layout_path, layout_key)) # FIXME: Change key load layout_key_dict = toto.util.create_and_persist_or_load_key(layout_key) except Exception, e: log.error("in load key - %s" % e) # Verify signature try: log.doing("'%s' - verify signature - key '%s'" \ % (layout_path, layout_key)) msg = "'%s' - verify signature" % layout_path if layout.verify_signature(layout_key): log.passing(msg)
def main(): print """ ############################################################################# # Define the supply chain ############################################################################# """ # Create keys print "Generate keypair for Alice..." toto.util.generate_and_write_rsa_keypair("alice") print "Generate keypair for Bob..." toto.util.generate_and_write_rsa_keypair("bob") alice_public = toto.util.import_rsa_key_from_file("alice.pub") bob_public = toto.util.import_rsa_key_from_file("bob.pub") # Create Layout layout = m.Layout.read({ "_type": "layout", "expires": "EXPIRES", "keys": { alice_public["keyid"]: alice_public, bob_public["keyid"]: bob_public }, "steps": [{ "name": "write-code", "material_matchrules": [], "product_matchrules": [["CREATE", "foo.py"]], "pubkeys": [alice_public["keyid"]], "expected_command": "vi", }, { "name": "package", "material_matchrules": [ ["MATCH", "PRODUCT", "foo.py", "FROM", "write-code"], ], "product_matchrules": [ ["CREATE", "foo.tar.gz"], ], "pubkeys": [bob_public["keyid"]], "expected_command": "tar zcvf foo.tar.gz foo.py", }], "inspect": [{ "name": "untar", "material_matchrules": [["MATCH", "PRODUCT", "foo.tar.gz", "FROM", "package"]], "product_matchrules": [ ["MATCH", "PRODUCT", "foo.py", "FROM", "write-code"], ], "run": "tar xfz foo.tar.gz", }], "signatures": [] }) # Sign and dump layout print "Load alice private key to sign layout..." alice_private = toto.util.import_rsa_key_from_file("alice") layout.sign(alice_private) layout.dump() # Check if dumping - reading - dumping produces the same layout # layout_same = m.Layout.read_from_file("root.layout") # if repr(layout) != repr(layout_same): # log.failing("There is something wrong with layout de-/serialization") wait_for_y("Wanna do the peachy supply chain?") print """ ############################################################################# # Do the peachy supply chain ############################################################################# """ write_code_cmd = "python -m toto.toto-run "\ "--name write-code --products foo.py "\ "--key alice -- vi foo.py" log.doing("(Alice) - %s" % write_code_cmd) wait_for_y("Wanna drop to vi and write peachy code?") subprocess.call(write_code_cmd.split()) package_cmd = "python -m toto.toto-run "\ "--name package --material foo.py --products foo.tar.gz "\ "--key bob --record-byproducts -- tar zcvf foo.tar.gz foo.py" log.doing("(Bob) - %s" % package_cmd) subprocess.call(package_cmd.split()) print """ ############################################################################# # Verify the peachy supply chain ############################################################################# """ wait_for_y("Wanna verify peachy supply chain?") verify_cmd = "python -m toto.toto-verify "\ "--layout root.layout "\ "--layout-key alice" log.doing("(User) - %s" % verify_cmd) subprocess.call(verify_cmd.split()) wait_for_y("Wanna do the failing supply chain?") print """ ############################################################################# # Do the failing supply chain ############################################################################# """ write_code_cmd = "python -m toto.toto-run "\ "--name write-code --products foo.py "\ "--key alice -- vi foo.py" log.doing("(Alice) - %s" % write_code_cmd) wait_for_y("Wanna drop to vi and write peachy code?") subprocess.call(write_code_cmd.split()) bad_cmd = "vi foo.py" wait_for_y("Wanna drop to vi and write baaad code?") log.doing("(Malory) - %s" % bad_cmd) subprocess.call(bad_cmd.split()) package_cmd = "python -m toto.toto-run "\ "--name package --material foo.py --products foo.tar.gz "\ "--key bob --record-byproducts -- tar zcvf foo.tar.gz foo.py" log.doing("(Bob) - %s" % package_cmd) subprocess.call(package_cmd.split()) print """ ############################################################################# # Verify the failing supply chain ############################################################################# """ verify_cmd = "python -m toto.toto-verify "\ "--layout root.layout "\ "--layout-key alice" log.doing("(User) - %s" % verify_cmd) subprocess.call(verify_cmd.split())
log.error(msg) sys.exit(exitcode) def in_toto_run(step_name, key_path, material_list, product_list, link_cmd_args, record_byproducts=False): """Load link signing private keys from disk and runs passed command, storing its materials, by-products and return value, and products into link metadata file. The link metadata file is signed and stored to disk. """ try: log.doing("load link signing key...") key = toto.util.prompt_import_rsa_key_from_file(key_path) except Exception, e: _die("in load key - %s" % e) try: log.doing("record materials...") materials_dict = toto.runlib.record_artifacts_as_dict(material_list) except Exception, e: _die("in record materials - %s" % e) try: log.doing("run command...") byproducts, return_value = toto.runlib.execute_link(link_cmd_args, record_byproducts) except Exception, e: _die("in run command - %s" % e) try: log.doing("record products...") products_dict = toto.runlib.record_artifacts_as_dict(product_list) except Exception, e: