Skip to content

Rotate roots per spec #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 58 commits into from
Sep 17, 2021
Merged

Rotate roots per spec #143

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
612bb21
update roots
hosseinsia Aug 10, 2021
0eadd6f
removing some debugging comments
hosseinsia Aug 10, 2021
429f285
removing duplicate code for getLocalRootMeta by calling it from getLo…
hosseinsia Aug 10, 2021
3cb1a91
fix based on the reviews.
hosseinsia Aug 12, 2021
65ba0e6
enable an arbitrary root verify another root (use case: n verify n+1)…
hosseinsia Aug 16, 2021
db4f2f5
check non root metadata, refactor test, address comments
hosseinsia Aug 23, 2021
79015d6
updated according to the comments
hosseinsia Aug 26, 2021
fd3d340
remove persistent metadata is the keys have changed.
hosseinsia Aug 27, 2021
0bea98a
removing the unused ErrWrongRootVersion
hosseinsia Aug 27, 2021
9d5a91a
add DeleteMeta to the LocalStore interface and implemenet in MemoryLo…
hosseinsia Aug 30, 2021
f21b3aa
delete (instead of setting to an empty raw message) the top-level met…
hosseinsia Aug 30, 2021
d3c530b
add test fixtures for fast forward attack recovery.
hosseinsia Sep 1, 2021
48c1746
test for fast forward attack recovery
hosseinsia Sep 1, 2021
f0ad38e
addressed several comments.
hosseinsia Sep 3, 2021
c34393a
addressed more comments. Set the rootVersion in loadAndVerifyLocalRoo…
hosseinsia Sep 4, 2021
caa02e0
Fixed a buggy test.
hosseinsia Sep 4, 2021
80c4246
fix comment typos
hosseinsia Sep 4, 2021
b670942
fix race condition related to the expired check.
hosseinsia Sep 7, 2021
a632c52
fix race condition related to the expired check.
hosseinsia Sep 7, 2021
b2489e1
kill unmarshalIgnoreExpired.
hosseinsia Sep 7, 2021
31a0aad
add test for root update for client version above 1.
hosseinsia Sep 7, 2021
8ed506c
add test for root update for client version greater than 1.
hosseinsia Sep 7, 2021
3accd78
update the VerifyIgnoreExpiredCheck method signature and add test for…
hosseinsia Sep 7, 2021
b84bac0
Avoid mocking IsExpired in the tests. Instead update test fixtured to…
hosseinsia Sep 8, 2021
1466b03
remove commented code
hosseinsia Sep 8, 2021
381cf45
update fixtures and clarify test comments.
hosseinsia Sep 10, 2021
717a30d
updating the comments based on the feedbacks.
hosseinsia Sep 10, 2021
f3116af
update roots
hosseinsia Aug 10, 2021
a27e4ba
removing some debugging comments
hosseinsia Aug 10, 2021
8565549
removing duplicate code for getLocalRootMeta by calling it from getLo…
hosseinsia Aug 10, 2021
fe99b01
fix based on the reviews.
hosseinsia Aug 12, 2021
2162d8e
enable an arbitrary root verify another root (use case: n verify n+1)…
hosseinsia Aug 16, 2021
d66bf74
check non root metadata, refactor test, address comments
hosseinsia Aug 23, 2021
3be509a
updated according to the comments
hosseinsia Aug 26, 2021
68165bc
remove persistent metadata is the keys have changed.
hosseinsia Aug 27, 2021
9b09c52
removing the unused ErrWrongRootVersion
hosseinsia Aug 27, 2021
42f234a
delete (instead of setting to an empty raw message) the top-level met…
hosseinsia Aug 30, 2021
f4435ba
add test fixtures for fast forward attack recovery.
hosseinsia Sep 1, 2021
c5ab46b
test for fast forward attack recovery
hosseinsia Sep 1, 2021
0a3186c
addressed several comments.
hosseinsia Sep 3, 2021
74ff44a
addressed more comments. Set the rootVersion in loadAndVerifyLocalRoo…
hosseinsia Sep 4, 2021
3747c88
Fixed a buggy test.
hosseinsia Sep 4, 2021
2a735ea
fix comment typos
hosseinsia Sep 4, 2021
3e5557b
Update client/client_test.go
hosseinsia Sep 4, 2021
ab81279
Update client/client_test.go
hosseinsia Sep 4, 2021
c3e4817
fix race condition related to the expired check.
hosseinsia Sep 7, 2021
0f72725
fix race condition related to the expired check.
hosseinsia Sep 7, 2021
3505474
kill unmarshalIgnoreExpired.
hosseinsia Sep 7, 2021
1e7d10f
add test for root update for client version above 1.
hosseinsia Sep 7, 2021
1a51430
add test for root update for client version greater than 1.
hosseinsia Sep 7, 2021
32ebe0a
update the VerifyIgnoreExpiredCheck method signature and add test for…
hosseinsia Sep 7, 2021
9681093
Avoid mocking IsExpired in the tests. Instead update test fixtured to…
hosseinsia Sep 8, 2021
0f5fe0e
remove commented code
hosseinsia Sep 8, 2021
79e0bc6
update fixtures and clarify test comments.
hosseinsia Sep 10, 2021
ba6ffde
updating the comments based on the feedbacks.
hosseinsia Sep 10, 2021
bdb5cee
rebase and update test cases to long expiration (10 years from now), …
hosseinsia Sep 12, 2021
45675bf
add test cases for (1) when there is no local root, (2) there is a lo…
hosseinsia Sep 16, 2021
d04805c
remove the 'previous' of test folders
hosseinsia Sep 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions client/client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,11 +386,13 @@ func newClientWithMeta(baseDir string, relPath string, serverAddr string) (*Clie
}
c := NewClient(MemoryLocalStore(), remote)
for _, m := range []string{"root.json", "snapshot.json", "timestamp.json", "targets.json"} {
metadataJSON, err := ioutil.ReadFile(initialStateDir + "/" + m)
if err != nil {
return nil, err
if _, err := os.Stat(initialStateDir + "/" + m); err == nil {
metadataJSON, err := ioutil.ReadFile(initialStateDir + "/" + m)
if err != nil {
return nil, err
}
c.local.SetMeta(m, metadataJSON)
}
c.local.SetMeta(m, metadataJSON)
}
return c, nil
}
Expand All @@ -411,6 +413,8 @@ func (s *ClientSuite) TestUpdateRoots(c *C) {
}{
// Succeeds when there is no root update.
{"testdata/Published1Time", nil, map[string]int{"root": 1, "timestamp": 1, "snapshot": 1, "targets": 1}},
// Succeeds when client only has root.json
{"testdata/Published1Time_client_root_only", nil, map[string]int{"root": 1, "timestamp": 1, "snapshot": 1, "targets": 1}},
// Succeeds updating root from version 1 to version 2.
{"testdata/Published2Times_keyrotated", nil, map[string]int{"root": 2, "timestamp": 1, "snapshot": 1, "targets": 1}},
// Succeeds updating root from version 1 to version 2 when the client's initial root version is expired.
Expand All @@ -429,6 +433,8 @@ func (s *ClientSuite) TestUpdateRoots(c *C) {
{"testdata/Published1Time_backwardRootVersion", verify.ErrWrongVersion(verify.ErrWrongVersion{Given: 1, Expected: 2}), map[string]int{}},
// Fails updating root to 2.root.json when the value of the version field inside it is 3 (rollforward attack prevention).
{"testdata/Published3Times_keyrotated_forwardRootVersion", verify.ErrWrongVersion(verify.ErrWrongVersion{Given: 3, Expected: 2}), map[string]int{}},
// Fails updating when there is no local trusted root.
{"testdata/Published1Time_client_no_root", errors.New("tuf: no root keys found in local meta store"), map[string]int{}},

// snapshot role key rotation increase the snapshot and timestamp.
{"testdata/Published2Times_snapshot_keyrotated", nil, map[string]int{"root": 2, "timestamp": 2, "snapshot": 2, "targets": 1}},
Expand Down
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/1.snapshot.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "77dfdca206c0fe1b8e55d67d21dd0e195a0998a9d2b56c6d3ee8f68d04c21e93",
"sig": "60a5724ac31af58ece866b723ab121a168b9e93f0033a98dd8449e6550f4d897db0329cdb135fd3a016c8c375e4177c16f1f4d3ada550eb6d06a52b5c84fbb07"
}
],
"signed": {
"_type": "snapshot",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"targets.json": {
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/1.targets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "e4dae3872d28d29f7624a702bfd25f68453544d597229ee9e0a8569d1f940cf4",
"sig": "ecb8da4380f992d0d80cbcb78c31c91baf171dad346725fcbf6b1487f52653fc9a2f1ab46a28d32a733a48badbbd316814dcda52cc49cf3bf6fb415403ce7a0a"
}
],
"signed": {
"_type": "targets",
"delegations": {
"keys": {},
"roles": []
},
"expires": "2031-09-14T02:30:57Z",
"spec_version": "1.0.0",
"targets": {},
"version": 1
}
}
24 changes: 24 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/1.timestamp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"signatures": [
{
"keyid": "3a05831328273e4b821c3bbe1fed0c5332749d8e071675879af26a401a5c85ae",
"sig": "4e4f72264b522cf8e2867fcaf1a6b1463d43bdf58027fb5770b6d611ae68a9f36b93ce5a50f874744ef1d7b72a11ad685f24081511c306fd7118dc60c90bdf08"
}
],
"signed": {
"_type": "timestamp",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"snapshot.json": {
"hashes": {
"sha256": "195c327842ae9601900016a50d0536a05136bfbf55ddb70657427ae12ed52181",
"sha512": "8deed35dcd9d634fcce94c42049829078c15a57d35ee83b15c201b6a0c80111fefba49cca522dedb1d79bc000393bf6c45b72d485f9d027f7c5a3f8922734a5c"
},
"length": 431,
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/snapshot.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "77dfdca206c0fe1b8e55d67d21dd0e195a0998a9d2b56c6d3ee8f68d04c21e93",
"sig": "60a5724ac31af58ece866b723ab121a168b9e93f0033a98dd8449e6550f4d897db0329cdb135fd3a016c8c375e4177c16f1f4d3ada550eb6d06a52b5c84fbb07"
}
],
"signed": {
"_type": "snapshot",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"targets.json": {
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/targets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "e4dae3872d28d29f7624a702bfd25f68453544d597229ee9e0a8569d1f940cf4",
"sig": "ecb8da4380f992d0d80cbcb78c31c91baf171dad346725fcbf6b1487f52653fc9a2f1ab46a28d32a733a48badbbd316814dcda52cc49cf3bf6fb415403ce7a0a"
}
],
"signed": {
"_type": "targets",
"delegations": {
"keys": {},
"roles": []
},
"expires": "2031-09-14T02:30:57Z",
"spec_version": "1.0.0",
"targets": {},
"version": 1
}
}
24 changes: 24 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/current/timestamp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"signatures": [
{
"keyid": "3a05831328273e4b821c3bbe1fed0c5332749d8e071675879af26a401a5c85ae",
"sig": "4e4f72264b522cf8e2867fcaf1a6b1463d43bdf58027fb5770b6d611ae68a9f36b93ce5a50f874744ef1d7b72a11ad685f24081511c306fd7118dc60c90bdf08"
}
],
"signed": {
"_type": "timestamp",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"snapshot.json": {
"hashes": {
"sha256": "195c327842ae9601900016a50d0536a05136bfbf55ddb70657427ae12ed52181",
"sha512": "8deed35dcd9d634fcce94c42049829078c15a57d35ee83b15c201b6a0c80111fefba49cca522dedb1d79bc000393bf6c45b72d485f9d027f7c5a3f8922734a5c"
},
"length": 431,
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
87 changes: 87 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/previous/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
{
"signatures": [
{
"keyid": "d4dab4b4d68b91665a6d0dac5b4e64677aa6d853fc787669168b4b4ba9822129",
"sig": "257396e371baf489e38653fef8cf0c98d1915a1f61f5bfbb0e3a03bad7c863795b738cdddc6b6899354447cfed0de0f79f8eaeec7acd509322009ee90c49b20d"
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2031-09-14T02:30:57Z",
"keys": {
"3a05831328273e4b821c3bbe1fed0c5332749d8e071675879af26a401a5c85ae": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ed25519",
"keyval": {
"public": "6bac59b8d9e1aae02fae6fba6e7fe3fc9fe5b4a9fe98c3fca255d8c8ec3e5b35"
},
"scheme": "ed25519"
},
"77dfdca206c0fe1b8e55d67d21dd0e195a0998a9d2b56c6d3ee8f68d04c21e93": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ed25519",
"keyval": {
"public": "6400d770c7c1bce4b3d59ce0079ed686e843b6500bbea77d869a1ae7df4565a1"
},
"scheme": "ed25519"
},
"d4dab4b4d68b91665a6d0dac5b4e64677aa6d853fc787669168b4b4ba9822129": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ed25519",
"keyval": {
"public": "28bf74baa87ed923f8fa27e3292684f8ec4730ce0bdc65150ed58199206ce089"
},
"scheme": "ed25519"
},
"e4dae3872d28d29f7624a702bfd25f68453544d597229ee9e0a8569d1f940cf4": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ed25519",
"keyval": {
"public": "e6ae9d3b67d7b3ce274130291dd90287f32b8fd72bfb4ac5430859ebd1c28a46"
},
"scheme": "ed25519"
}
},
"roles": {
"root": {
"keyids": [
"d4dab4b4d68b91665a6d0dac5b4e64677aa6d853fc787669168b4b4ba9822129"
],
"threshold": 1
},
"snapshot": {
"keyids": [
"77dfdca206c0fe1b8e55d67d21dd0e195a0998a9d2b56c6d3ee8f68d04c21e93"
],
"threshold": 1
},
"targets": {
"keyids": [
"e4dae3872d28d29f7624a702bfd25f68453544d597229ee9e0a8569d1f940cf4"
],
"threshold": 1
},
"timestamp": {
"keyids": [
"3a05831328273e4b821c3bbe1fed0c5332749d8e071675879af26a401a5c85ae"
],
"threshold": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/previous/1.snapshot.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "77dfdca206c0fe1b8e55d67d21dd0e195a0998a9d2b56c6d3ee8f68d04c21e93",
"sig": "60a5724ac31af58ece866b723ab121a168b9e93f0033a98dd8449e6550f4d897db0329cdb135fd3a016c8c375e4177c16f1f4d3ada550eb6d06a52b5c84fbb07"
}
],
"signed": {
"_type": "snapshot",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"targets.json": {
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
19 changes: 19 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/previous/1.targets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"signatures": [
{
"keyid": "e4dae3872d28d29f7624a702bfd25f68453544d597229ee9e0a8569d1f940cf4",
"sig": "ecb8da4380f992d0d80cbcb78c31c91baf171dad346725fcbf6b1487f52653fc9a2f1ab46a28d32a733a48badbbd316814dcda52cc49cf3bf6fb415403ce7a0a"
}
],
"signed": {
"_type": "targets",
"delegations": {
"keys": {},
"roles": []
},
"expires": "2031-09-14T02:30:57Z",
"spec_version": "1.0.0",
"targets": {},
"version": 1
}
}
24 changes: 24 additions & 0 deletions client/testdata/Published1Time_client_no_root/client/metadata/previous/1.timestamp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"signatures": [
{
"keyid": "3a05831328273e4b821c3bbe1fed0c5332749d8e071675879af26a401a5c85ae",
"sig": "4e4f72264b522cf8e2867fcaf1a6b1463d43bdf58027fb5770b6d611ae68a9f36b93ce5a50f874744ef1d7b72a11ad685f24081511c306fd7118dc60c90bdf08"
}
],
"signed": {
"_type": "timestamp",
"expires": "2031-09-14T02:30:57Z",
"meta": {
"snapshot.json": {
"hashes": {
"sha256": "195c327842ae9601900016a50d0536a05136bfbf55ddb70657427ae12ed52181",
"sha512": "8deed35dcd9d634fcce94c42049829078c15a57d35ee83b15c201b6a0c80111fefba49cca522dedb1d79bc000393bf6c45b72d485f9d027f7c5a3f8922734a5c"
},
"length": 431,
"version": 1
}
},
"spec_version": "1.0.0",
"version": 1
}
}
Loading