Feature: Support for HSM-based root keys.

Test results for features/security/hsm_support.feature

Running behat features/security/hsm_support.feature results in:

@rugged @hsm_support @local @security @gitlab-160
Feature: Support for HSM-based root keys.
  In order to host TUF metadata using HSM-based root keys
  As an administrator
  I need to generate valid root metadata using keys and signatures from an HSM.

  Background:
    Given I reset Rugged
    And I run "sudo sudo -u rugged mkdir -p /var/rugged/tuf_repo/tmp"
    Given the file "/var/rugged/tuf_repo/partial/1.root.json" does not exist
    And the file "/var/rugged/tuf_repo/partial/signable-1.root.json" does not exist

  Scenario: End-to-end initializing of a repo using both PEM and TUF keys.
    Given I run "sudo openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root_private.pem"
    And I run "sudo openssl pkey -in /var/rugged/tuf_repo/tmp/root_private.pem -pubout | sudo tee -a /var/rugged/tuf_repo/tmp/root_public.pem"
    And I run "sudo openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root1_private.pem"
    And I run "sudo openssl pkey -in /var/rugged/tuf_repo/tmp/root1_private.pem -pubout | sudo tee -a /var/rugged/tuf_repo/tmp/root1_public.pem"
    And I run "sudo chown rugged:rugged /var/rugged/tuf_repo/tmp/*.pem"
    Given I run the Rugged command "rugged generate-keys --local --role=snapshot"
    And I run the Rugged command "rugged generate-keys --local --role=targets"
    And I run the Rugged command "rugged generate-keys --local --role=timestamp"
    Given I run the Rugged command "rugged initialize-partial-root-metadata"
    Given I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root1_public.pem --key-type=pem"
    And I run the Rugged command "rugged add-verification-key snapshot /var/rugged/verification_keys/snapshot/snapshot.pub"
    And I run the Rugged command "rugged add-verification-key targets /var/rugged/verification_keys/targets/targets.pub"
    And I run the Rugged command "rugged add-verification-key timestamp /var/rugged/verification_keys/timestamp/timestamp.pub"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      Retrieved partial Root metadata for version 1 (1.root.json).
      === METADATA ===
      Expires in 364 days, 23 hours
      === SIGNATURES ===
      Signatures from new keys: 0/1 (Does not satisfy threshold)
      === KEYS ===
      root 2/2:
        type: ed25519
        keyid: 
      root 1/2:
        type: ed25519
        keyid: 
      snapshot 1/1:
        type: ed25519
        keyid: 
      targets 1/1:
        type: ed25519
        keyid: 
      timestamp 1/1:
        type: ed25519
        keyid: 
      === ROLES ===
      root:
        Keys required (to meet signature threshold): 1
        Keys provided: 2
        keyids: 
      snapshot:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      targets:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      timestamp:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      """
    And I should not get:
      """
      signed by:
      """
    Given I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-1.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem | sudo sudo -u rugged tee -a /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-1.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem | sudo sudo -u rugged tee -a /var/rugged/tuf_repo/tmp/root1_signature.bin"
    Given I run the Rugged command "rugged add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      Retrieved partial Root metadata for version 1 (1.root.json).
      === METADATA ===
      Expires in 364 days, 23 hours
      === SIGNATURES ===
      Signatures from new keys: 2/1 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by new keyid:
        Signature 2 of 2: VALID -- signed by new keyid:
      === KEYS ===
      root 1/2:
        type: ed25519
        keyid: 
      root 2/2:
        type: ed25519
        keyid: 
      snapshot 1/1:
        type: ed25519
        keyid: 
      targets 1/1:
        type: ed25519
        keyid: 
      timestamp 1/1:
        type: ed25519
        keyid: 
      === ROLES ===
      root:
        Keys required (to meet signature threshold): 1
        Keys provided: 2
        keyids: 
      snapshot:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      targets:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      timestamp:
        Keys required (to meet signature threshold): 1
        Keys provided: 1
        keyids: 
      """
    Given I run the Rugged command "mkdir -p /var/rugged/tuf_repo/metadata/"
    And I run the Rugged command "rugged deploy-root-metadata"
    When I run the Rugged command "rugged initialize --local"
    Then I should get:
      """
      Initializing new TUF repository at /var/rugged/tuf_repo.
      warning: Initialized 'root' metadata from disk.
      If you did not intend to initialize with existing 'root' metadata then delete '1.root.json' and re-run this command.
      TUF repository initialized.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """
    And I should not get:
      """
      failed to verify sig: Expected a byte of length 64
      """

1 scenario (1 passed)
34 steps (34 passed)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.