Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
# repository's metadata directory.
timestamp_path = os.path.join(self.repository_directory, 'metadata',
'timestamp.json')
backup_timestamp = os.path.join(self.repository_directory,
'timestamp.json.backup')
shutil.copy(timestamp_path, backup_timestamp)
# The fileinfo of the previous version is saved to verify that it is indeed
# accepted by the non-TUF client.
length, hashes = securesystemslib.util.get_file_details(backup_timestamp)
previous_fileinfo = tuf.formats.make_fileinfo(length, hashes)
# Modify the timestamp file on the remote repository.
repository = repo_tool.load_repository(self.repository_directory)
key_file = os.path.join(self.keystore_directory, 'timestamp_key')
timestamp_private = repo_tool.import_ed25519_privatekey_from_file(key_file,
'password')
repository.timestamp.load_signing_key(timestamp_private)
# Set an arbitrary expiration so that the repository tool generates a new
# version.
repository.timestamp.expiration = datetime.datetime(2030, 1, 1, 12, 12)
repository.writeall()
# Move the staged metadata to the "live" metadata.
shutil.rmtree(os.path.join(self.repository_directory, 'metadata'))
shutil.copytree(os.path.join(self.repository_directory, 'metadata.staged'),
os.path.join(self.repository_directory, 'metadata'))
# Save the fileinfo of the new version generated to verify that it is
# saved by the client.
length, hashes = securesystemslib.util.get_file_details(timestamp_path)
role_keys['snapshot']['public'] = \
repo_tool.import_ed25519_publickey_from_file(snapshot_key_file+'.pub')
role_keys['timestamp']['public'] = \
repo_tool.import_ed25519_publickey_from_file(timestamp_key_file+'.pub')
role_keys['role1']['public'] = \
repo_tool.import_ed25519_publickey_from_file(delegation_key_file+'.pub')
# Import the private keys of the top-level and delegated roles.
role_keys['root']['private'] = \
repo_tool.import_rsa_privatekey_from_file(root_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['targets']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(targets_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['snapshot']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['timestamp']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['role1']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(delegation_key_file,
EXPECTED_KEYFILE_PASSWORD)
return role_keys
role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path)
# Load the private keys.
root_privkey_path = os.path.join(keystore_directory, 'root_key')
targets_privkey_path = os.path.join(keystore_directory, 'targets_key')
snapshot_privkey_path = os.path.join(keystore_directory, 'snapshot_key')
timestamp_privkey_path = os.path.join(keystore_directory, 'timestamp_key')
role1_privkey_path = os.path.join(keystore_directory, 'delegation_key')
root_privkey = \
repo_tool.import_rsa_privatekey_from_file(root_privkey_path, 'password')
targets_privkey = \
repo_tool.import_ed25519_privatekey_from_file(targets_privkey_path,
'password')
snapshot_privkey = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_privkey_path,
'password')
timestamp_privkey = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_privkey_path,
'password')
role1_privkey = \
repo_tool.import_ed25519_privatekey_from_file(role1_privkey_path,
'password')
# (2) Add top-level verification keys.
repository.root.add_verification_key(root_pubkey)
repository.targets.add_verification_key(targets_pubkey)
repository.snapshot.add_verification_key(snapshot_pubkey)
# Verify that repository.writeall() fails for insufficient threshold
# of signatures (default threshold = 1).
repo_tool.import_ed25519_publickey_from_file(timestamp_key_file+'.pub')
role_keys['role1']['public'] = \
repo_tool.import_ed25519_publickey_from_file(delegation_key_file+'.pub')
# Import the private keys of the top-level and delegated roles.
role_keys['root']['private'] = \
repo_tool.import_rsa_privatekey_from_file(root_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['targets']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(targets_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['snapshot']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(snapshot_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['timestamp']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(timestamp_key_file,
EXPECTED_KEYFILE_PASSWORD)
role_keys['role1']['private'] = \
repo_tool.import_ed25519_privatekey_from_file(delegation_key_file,
EXPECTED_KEYFILE_PASSWORD)
return role_keys
def setUpModule():
"""
This is run once for the full module, before all tests.
It prepares some globals, including a single Primary ECU client instance.
When finished, it will also start up an OEM Repository Server,
Director Server, and Time Server. Currently, it requires them to be already
running.
"""
destroy_temp_dir()
private_key_fname = os.path.join(
os.getcwd(), 'demo', 'keys', 'director')
global test_signing_key
test_signing_key = repo_tool.import_ed25519_privatekey_from_file(
private_key_fname, 'pw')
def test_load_signing_key(self):
# Test normal case.
key_path = os.path.join('repository_data',
'keystore', 'snapshot_key')
key_object = repo_tool.import_ed25519_privatekey_from_file(key_path, 'password')
self.metadata.load_signing_key(key_object)
keyid = key_object['keyid']
self.assertEqual([keyid], self.metadata.signing_keys)
# Test improperly formatted arguments.
self.assertRaises(securesystemslib.exceptions.FormatError, self.metadata.load_signing_key, 3)
# Test non-private key.
key_path = os.path.join('repository_data',
'keystore', 'snapshot_key.pub')
key_object = repo_tool.import_ed25519_publickey_from_file(key_path)
self.assertRaises(securesystemslib.exceptions.Error, self.metadata.load_signing_key, key_object)
# Modify the timestamp file on the remote repository. 'timestamp.json'
# must be properly updated and signed with 'repository_tool.py', otherwise
# the client will reject it as invalid metadata.
# Load the repository
repository = repo_tool.load_repository(self.repository_directory)
# Load the timestamp and snapshot keys, since we will be signing a new
# timestamp and a new snapshot file.
key_file = os.path.join(self.keystore_directory, 'timestamp_key')
timestamp_private = repo_tool.import_ed25519_privatekey_from_file(key_file,
'password')
repository.timestamp.load_signing_key(timestamp_private)
key_file = os.path.join(self.keystore_directory, 'snapshot_key')
snapshot_private = repo_tool.import_ed25519_privatekey_from_file(key_file,
'password')
repository.snapshot.load_signing_key(snapshot_private)
# Expire snapshot in 10s. This should be far enough into the future that we
# haven't reached it before the first refresh validates timestamp expiry.
# We want a successful refresh before expiry, then a second refresh after
# expiry (which we then expect to raise an exception due to expired
# metadata).
expiry_time = time.time() + 10
datetime_object = tuf.formats.unix_timestamp_to_datetime(int(expiry_time))
repository.snapshot.expiration = datetime_object
# Now write to the repository.
repository.writeall()
def load_keys(self):
"""
"""
self.key_dirroot_pub = rt.import_ed25519_publickey_from_file('directorroot.pub')
self.key_dirroot_pri = rt.import_ed25519_privatekey_from_file('directorroot', password='pw')
self.key_dirtime_pub = rt.import_ed25519_publickey_from_file('directortimestamp.pub')
self.key_dirtime_pri = rt.import_ed25519_privatekey_from_file('directortimestamp', password='pw')
self.key_dirsnap_pub = rt.import_ed25519_publickey_from_file('directorsnapshot.pub')
self.key_dirsnap_pri = rt.import_ed25519_privatekey_from_file('directorsnapshot', password='pw')
self.key_dirtarg_pub = rt.import_ed25519_publickey_from_file('director.pub')
self.key_dirtarg_pri = rt.import_ed25519_privatekey_from_file('director', password='pw')
def load_keys(self):
"""
"""
self.key_dirroot_pub = rt.import_ed25519_publickey_from_file('directorroot.pub')
self.key_dirroot_pri = rt.import_ed25519_privatekey_from_file('directorroot', password='pw')
self.key_dirtime_pub = rt.import_ed25519_publickey_from_file('directortimestamp.pub')
self.key_dirtime_pri = rt.import_ed25519_privatekey_from_file('directortimestamp', password='pw')
self.key_dirsnap_pub = rt.import_ed25519_publickey_from_file('directorsnapshot.pub')
self.key_dirsnap_pri = rt.import_ed25519_privatekey_from_file('directorsnapshot', password='pw')
self.key_dirtarg_pub = rt.import_ed25519_publickey_from_file('director.pub')
self.key_dirtarg_pri = rt.import_ed25519_privatekey_from_file('director', password='pw')