def _verify_metadata(metadata, args):
"""
<Purpose>
Internal method to verify link or layout signatures.
<Arguments>
metadata:
Metablock object (contains Link or Layout object)
args:
see argparser
<Exceptions>
SystemExit(0) if verification passes
SystemExit(1) if verification fails
SystemExit(2) if any exception occurs
"""
try:
pub_key_dict = util.import_rsa_public_keys_from_files_as_dict(args.key)
metadata.verify_signatures(pub_key_dict)
log.pass_verification("Signature verification passed")
sys.exit(0)
except exceptions.SignatureVerificationError as e:
log.fail_verification("Signature verification failed: {}".format(e))
sys.exit(1)
except Exception as e:
log.error("The following error occurred while verifying signatures: "
"{}".format(e))
sys.exit(2)
def main():
args = parse_arguments()
# configure our instance of the grafeas api
swagger_client.configuration.host = args.target
api_instance = swagger_client.GrafeasApi()
try:
pubkey = util.import_rsa_public_keys_from_files_as_dict([args.key])
layout = fetch_layout(args.project_id, api_instance)
except Exception as e:
print("Exception when fetching the in-toto layout\n{}: {}".format(
type(e).__name__, e))
sys.exit(1)
# fetch the link metadata for every step
for step in layout.signed.steps:
for keyid in step.pubkeys:
try:
fetch_occurrence(args.project_id, step.name, keyid,
api_instance)
except ApiException as e:
raise e
pass
try:
verifylib.in_toto_verify(layout, pubkey)
except Exception as e:
print("Exception when verifying the supply chain\n{}: {}".format(
type(e).__name__, e))
sys.exit(1)
def test_verify_failing_inspection_exits_non_zero(self):
"""Test fail verification with inspection returning non-zero. """
layout = Metablock.load(self.layout_failing_inspection_retval)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path])
with self.assertRaises(BadReturnValueError):
in_toto_verify(layout, layout_key_dict)
def test_verify_failing_inspection_rules(self):
"""Test fail verification with failing inspection artifact rule. """
layout = Metablock.load(self.layout_failing_inspection_rule_path)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path])
with self.assertRaises(RuleVerficationError):
in_toto_verify(layout, layout_key_dict)
def test_verify_failing_layout_expired(self):
"""Test fail verification with expired layout. """
layout = Metablock.load(self.layout_expired_path)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path, self.bob_path])
with self.assertRaises(LayoutExpiredError):
in_toto_verify(layout, layout_key_dict)
def test_verify_failing_missing_key(self):
"""Test fail verification with missing layout key. """
layout = Metablock.load(self.layout_double_signed_path)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.bob_path])
with self.assertRaises(SignatureVerificationError):
in_toto_verify(layout, layout_key_dict)
def test_verify_failing_bad_signature(self):
"""Test fail verification with bad layout signature. """
layout = Metablock.load(self.layout_bad_sig)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path])
with self.assertRaises(SignatureVerificationError):
in_toto_verify(layout, layout_key_dict)
def test_verify_failing_link_metadata_files(self):
"""Test fail verification with link metadata files not found. """
os.rename("package.2f89b927.link", "package.link.bak")
layout = Metablock.load(self.layout_single_signed_path)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path])
with self.assertRaises(in_toto.exceptions.LinkNotFoundError):
in_toto_verify(layout, layout_key_dict)
os.rename("package.link.bak", "package.2f89b927.link")
def test_import_rsa_public_keys_from_files_as_dict(self):
"""Create and import multiple rsa public keys and return KEYDICT. """
name1 = "key4"
name2 = "key5"
generate_and_write_rsa_keypair(name1)
generate_and_write_rsa_keypair(name2)
# Succefully import public keys as keydictionary
key_dict = import_rsa_public_keys_from_files_as_dict([name1 + ".pub",
name2 + ".pub"])
securesystemslib.formats.KEYDICT_SCHEMA.check_match(key_dict)
# Import wrongly formatted key raises an exception
not_an_rsa = "not_an_rsa"
open(not_an_rsa, "w").write(not_an_rsa)
with self.assertRaises(securesystemslib.exceptions.FormatError):
import_rsa_public_keys_from_files_as_dict([name1 + ".pub", not_an_rsa])
# Import private key raises an exception
with self.assertRaises(securesystemslib.exceptions.FormatError):
import_rsa_public_keys_from_files_as_dict([name1, name2])
def _verify_metadata(metadata, args):
"""
<Purpose>
Internal method to verify link or layout signatures.
<Arguments>
metadata:
Metablock object (contains Link or Layout object)
args:
see argparser
<Exceptions>
SystemExit(0) if verification passes
SystemExit(1) if verification fails
SystemExit(2) if any exception occurs
"""
try:
# Load pubkeys from disk ....
if args.key != None:
pub_key_dict = util.import_rsa_public_keys_from_files_as_dict(
args.key)
# ... or from gpg keyring
elif args.gpg != None: # pragma: no branch
pub_key_dict = util.import_gpg_public_keys_from_keyring_as_dict(
args.gpg, args.gpg_home)
for keyid, verification_key in six.iteritems(pub_key_dict):
metadata.verify_signature(verification_key)
log.info(
"Signature verification passed for keyid '{}'".format(keyid))
sys.exit(0)
except exceptions.SignatureVerificationError as e:
log.error("Signature verification failed: {}".format(e))
sys.exit(1)
except Exception as e:
log.error("The following error occurred while verifying signatures: "
"{}".format(e))
sys.exit(2)
def test_verify_passing_double_signed_layout(self):
"""Test pass verification of double-signed layout. """
layout = Metablock.load(self.layout_double_signed_path)
layout_key_dict = import_rsa_public_keys_from_files_as_dict(
[self.alice_path, self.bob_path])
in_toto_verify(layout, layout_key_dict)
