def build(self, root_pub_path, targets_pub_path, timestamp_pub_path): """ Create a new repo :param root_pub_path: path where the public root key lives :type root_pub_path: str :param targets_pub_path: path where the public targets key lives :type targets_pub_path: str :param timestamp_pub_path: path where the public timestamp key lives :type timestamp_pub_path: str """ repository = create_new_repository(self._repo_path) pub_root_key = import_rsa_publickey_from_file(root_pub_path) repository.root.add_verification_key(pub_root_key) repository.root.load_signing_key(self._key) pub_target_key = import_rsa_publickey_from_file(targets_pub_path) repository.targets.add_verification_key(pub_target_key) repository.snapshot.add_verification_key(pub_target_key) repository.targets.compressions = ["gz"] repository.snapshot.compressions = ["gz"] pub_timestamp_key = import_rsa_publickey_from_file(timestamp_pub_path) repository.timestamp.add_verification_key(pub_timestamp_key) repository.write_partial()
def build(self, root_pub_path, targets_pub_path, timestamp_pub_path): """ Create or update the repo :param root_pub_path: path where the public root key lives :type root_pub_path: str :param targets_pub_path: path where the public targets key lives :type targets_pub_path: str :param timestamp_pub_path: path where the public timestamp key lives :type timestamp_pub_path: str """ if exists(self._repo_path) and listdir(self._repo_path) != []: repository = load_repository(self._repo_path) else: repository = create_new_repository(self._repo_path) pub_root_key = import_rsa_publickey_from_file(root_pub_path) repository.root.add_verification_key(pub_root_key) repository.root.load_signing_key(self._key) repository.root.expiration = (datetime.datetime.now() + datetime.timedelta(days=EXPIRATION_DAYS)) pub_target_key = import_rsa_publickey_from_file(targets_pub_path) repository.targets.add_verification_key(pub_target_key) repository.snapshot.add_verification_key(pub_target_key) repository.targets.compressions = ["gz"] repository.snapshot.compressions = ["gz"] pub_timestamp_key = import_rsa_publickey_from_file(timestamp_pub_path) repository.timestamp.add_verification_key(pub_timestamp_key) try: repository.write_partial() except: pass
def _add_metadata(self, repository, root_key_password=None, targets_key_password=None, snapshot_key_password=None, timestamp_key_password=None): from tuf.repository_tool import import_rsa_publickey_from_file, \ import_rsa_privatekey_from_file # Add root key to repository public_root_key = import_rsa_publickey_from_file( self._root_key_file + '.pub') if root_key_password is None: print('importing root key...') private_root_key = import_rsa_privatekey_from_file( self._root_key_file, root_key_password) repository.root.add_verification_key(public_root_key) repository.root.load_signing_key(private_root_key) repository.root.expiration = datetime.utcnow() + self._root_lifetime # Add targets key to repository public_targets_key = import_rsa_publickey_from_file( self._targets_key_file + '.pub') if targets_key_password is None: print('importing targets key...') private_targets_key = import_rsa_privatekey_from_file( self._targets_key_file, targets_key_password) repository.targets.add_verification_key(public_targets_key) repository.targets.load_signing_key(private_targets_key) # Add snapshot key to repository public_snapshot_key = import_rsa_publickey_from_file( self._snapshot_key_file + '.pub') if snapshot_key_password is None: print('importing snapshot key...') private_snapshot_key = import_rsa_privatekey_from_file( self._snapshot_key_file, snapshot_key_password) repository.snapshot.add_verification_key(public_snapshot_key) repository.snapshot.load_signing_key(private_snapshot_key) # Add timestamp key to repository public_timestamp_key = import_rsa_publickey_from_file( self._timestamp_key_file + '.pub') if timestamp_key_password is None: print('importing timestamp key...') private_timestamp_key = import_rsa_privatekey_from_file( self._timestamp_key_file, timestamp_key_password) repository.timestamp.add_verification_key(public_timestamp_key) repository.timestamp.load_signing_key(private_timestamp_key) # Write out metadata repository.writeall(consistent_snapshot=True)
def _add_metadata(self, repository, root_key_password=None, targets_key_password=None, snapshot_key_password=None, timestamp_key_password=None): from tuf.repository_tool import import_rsa_publickey_from_file, \ import_rsa_privatekey_from_file # Add root key to repository public_root_key = import_rsa_publickey_from_file( self._root_key_file + '.pub') if root_key_password is None: print('importing root key...') private_root_key = import_rsa_privatekey_from_file( self._root_key_file, root_key_password) repository.root.add_verification_key(public_root_key) repository.root.load_signing_key(private_root_key) repository.root.expiration = datetime.now() + self._root_lifetime # Add targets key to repository public_targets_key = import_rsa_publickey_from_file( self._targets_key_file + '.pub') if targets_key_password is None: print('importing targets key...') private_targets_key = import_rsa_privatekey_from_file( self._targets_key_file, targets_key_password) repository.targets.add_verification_key(public_targets_key) repository.targets.load_signing_key(private_targets_key) # Add snapshot key to repository public_snapshot_key = import_rsa_publickey_from_file( self._snapshot_key_file + '.pub') if snapshot_key_password is None: print('importing snapshot key...') private_snapshot_key = import_rsa_privatekey_from_file( self._snapshot_key_file, snapshot_key_password) repository.snapshot.add_verification_key(public_snapshot_key) repository.snapshot.load_signing_key(private_snapshot_key) # Add timestamp key to repository public_timestamp_key = import_rsa_publickey_from_file( self._timestamp_key_file + '.pub') if timestamp_key_password is None: print('importing timestamp key...') private_timestamp_key = import_rsa_privatekey_from_file( self._timestamp_key_file, timestamp_key_password) repository.timestamp.add_verification_key(public_timestamp_key) repository.timestamp.load_signing_key(private_timestamp_key) # Write out metadata repository.write(consistent_snapshot=True)
def _load_role_keys(keystore_directory): # Populating 'self.role_keys' by importing the required public and private # keys of 'tuf/tests/repository_data/'. The role keys are needed when # modifying the remote repository used by the test cases in this unit test. # The pre-generated key files in 'repository_data/keystore' are all encrypted with # a 'password' passphrase. EXPECTED_KEYFILE_PASSWORD = '******' # Store and return the cryptography keys of the top-level roles, including 1 # delegated role. role_keys = {} root_key_file = os.path.join(keystore_directory, 'root_key') targets_key_file = os.path.join(keystore_directory, 'targets_key') snapshot_key_file = os.path.join(keystore_directory, 'snapshot_key') timestamp_key_file = os.path.join(keystore_directory, 'timestamp_key') delegation_key_file = os.path.join(keystore_directory, 'delegation_key') role_keys = { 'root': {}, 'targets': {}, 'snapshot': {}, 'timestamp': {}, 'role1': {} } # Import the top-level and delegated role public keys. role_keys['root']['public'] = \ repo_tool.import_rsa_publickey_from_file(root_key_file+'.pub') role_keys['targets']['public'] = \ repo_tool.import_ed25519_publickey_from_file(targets_key_file + '.pub') role_keys['snapshot']['public'] = \ repo_tool.import_ed25519_publickey_from_file(snapshot_key_file + '.pub') role_keys['timestamp']['public'] = \ repo_tool.import_ed25519_publickey_from_file(timestamp_key_file + '.pub') role_keys['role1']['public'] = \ repo_tool.import_ed25519_publickey_from_file(delegation_key_file + '.pub') # Import the private keys of the top-level and delegated roles. role_keys['root']['private'] = \ repo_tool.import_rsa_privatekey_from_file(root_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['targets']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(targets_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['snapshot']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['timestamp']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file, EXPECTED_KEYFILE_PASSWORD) role_keys['role1']['private'] = \ repo_tool.import_ed25519_privatekey_from_file(delegation_key_file, EXPECTED_KEYFILE_PASSWORD) return role_keys
def test_root_role_versioning(self): # Test root role versioning # # 1. Import public and private keys. # 2. Add verification keys. # 3. Load signing keys. # 4. Add target files. # 5. Perform delegation. # 6. writeall() # # Copy the target files from 'tuf/tests/repository_data' so that writeall() # has target fileinfo to include in metadata. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) targets_directory = os.path.join(temporary_directory, 'repository', repo_tool.TARGETS_DIRECTORY_NAME) original_targets_directory = os.path.join('repository_data', 'repository', 'targets') shutil.copytree(original_targets_directory, targets_directory) # In this case, create_new_repository() creates the 'repository/' # sub-directory in 'temporary_directory' if it does not exist. repository_directory = os.path.join(temporary_directory, 'repository') metadata_directory = os.path.join(repository_directory, repo_tool.METADATA_STAGED_DIRECTORY_NAME) repository = repo_tool.create_new_repository(repository_directory) # (1) Load the public and private keys of the top-level roles, and one # delegated role. keystore_directory = os.path.join('repository_data', 'keystore') # Load the public keys. root_pubkey_path = os.path.join(keystore_directory, 'root_key.pub') targets_pubkey_path = os.path.join(keystore_directory, 'targets_key.pub') snapshot_pubkey_path = os.path.join(keystore_directory, 'snapshot_key.pub') timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub') role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub') root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path) targets_pubkey = repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path) snapshot_pubkey = \ repo_tool.import_ed25519_publickey_from_file(snapshot_pubkey_path) timestamp_pubkey = \ repo_tool.import_ed25519_publickey_from_file(timestamp_pubkey_path) role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path) # Load the private keys. root_privkey_path = os.path.join(keystore_directory, 'root_key') targets_privkey_path = os.path.join(keystore_directory, 'targets_key') snapshot_privkey_path = os.path.join(keystore_directory, 'snapshot_key') timestamp_privkey_path = os.path.join(keystore_directory, 'timestamp_key') role1_privkey_path = os.path.join(keystore_directory, 'delegation_key') root_privkey = \ repo_tool.import_rsa_privatekey_from_file(root_privkey_path, 'password') targets_privkey = \ repo_tool.import_ed25519_privatekey_from_file(targets_privkey_path, 'password') snapshot_privkey = \ repo_tool.import_ed25519_privatekey_from_file(snapshot_privkey_path, 'password') timestamp_privkey = \ repo_tool.import_ed25519_privatekey_from_file(timestamp_privkey_path, 'password') role1_privkey = \ repo_tool.import_ed25519_privatekey_from_file(role1_privkey_path, 'password') # (2) Add top-level verification keys. repository.root.add_verification_key(root_pubkey) repository.targets.add_verification_key(targets_pubkey) repository.snapshot.add_verification_key(snapshot_pubkey) repository.timestamp.add_verification_key(timestamp_pubkey) # (3) Load top-level signing keys. repository.root.load_signing_key(root_privkey) repository.targets.load_signing_key(targets_privkey) repository.snapshot.load_signing_key(snapshot_privkey) repository.timestamp.load_signing_key(timestamp_privkey) # (4) Add target files. target1 = 'file1.txt' target2 = 'file2.txt' target3 = 'file3.txt' repository.targets.add_target(target1) repository.targets.add_target(target2) # (5) Perform delegation. repository.targets.delegate('role1', [role1_pubkey], [target3]) repository.targets('role1').load_signing_key(role1_privkey) # (6) Write repository. repository.writeall() self.assertTrue(os.path.exists(os.path.join(metadata_directory, 'root.json'))) self.assertTrue(os.path.exists(os.path.join(metadata_directory, '1.root.json'))) # Verify that the expected metadata is written. root_filepath = os.path.join(metadata_directory, 'root.json') root_1_filepath = os.path.join(metadata_directory, '1.root.json') root_2_filepath = os.path.join(metadata_directory, '2.root.json') old_root_signable = securesystemslib.util.load_json_file(root_filepath) root_1_signable = securesystemslib.util.load_json_file(root_1_filepath) # Make a change to the root keys repository.root.add_verification_key(targets_pubkey) repository.root.load_signing_key(targets_privkey) repository.root.threshold = 2 repository.writeall() new_root_signable = securesystemslib.util.load_json_file(root_filepath) root_2_signable = securesystemslib.util.load_json_file(root_2_filepath) for role_signable in [old_root_signable, new_root_signable, root_1_signable, root_2_signable]: # Raise 'securesystemslib.exceptions.FormatError' if 'role_signable' is an # invalid signable. tuf.formats.check_signable_object_format(role_signable) # Verify contents of versioned roots self.assertEqual(old_root_signable, root_1_signable) self.assertEqual(new_root_signable, root_2_signable) self.assertEqual(root_1_signable['signed']['version'], 1) self.assertEqual(root_2_signable['signed']['version'], 2) repository.root.remove_verification_key(root_pubkey) repository.root.unload_signing_key(root_privkey) repository.root.threshold = 2 # Errors, not enough signing keys to satisfy old threshold self.assertRaises(tuf.exceptions.UnsignedMetadataError, repository.writeall) # No error, write() ignore's root's threshold and allows it to be written # to disk partially signed. repository.write('root')