Feature: Rotate online keys.

Test results for features/security/rotate_online_keys.feature

Running behat features/security/rotate_online_keys.feature results in:

@rugged @security @rotate-online-keys
Feature: Rotate online keys.
  In order to keep a TUF systems secure,
  As a TUF administrator
  I need to be able to rotate online keys reliably.

  Background:
    Given I reset Rugged
    And local Rugged directories exist
    And I generate a complete set of Rugged keys
    And I generate complete partial root metadata
    And I generate signatures of partial root metadata
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "rugged --debug deploy-root-metadata"
    And I run the Rugged command "rugged --debug initialize --local"
    And I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"

  Scenario Outline: Rotate online key and deploy updated root metadata in already-running TUF repo (2.root.json)
    When I run the Rugged command "rugged remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.<ROLE>.keyids | jq 'nth(0)' -r`"
    And I run the rugged command "rm /var/rugged/verification_keys/<ROLE>/<ROLE>.pub /var/rugged/signing_keys/<ROLE>/<ROLE>"
    And I run the Rugged command "rugged generate-keys --local --role=<ROLE>"
    And I run the Rugged command "rugged add-verification-key <ROLE> /var/rugged/verification_keys/<ROLE>/<ROLE>.pub"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_new_signature.bin"
    And I run the Rugged command "openssl pkeyutl -verify -sigfile /var/rugged/tuf_repo/tmp/root_new_signature.bin -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -inkey /var/rugged/tuf_repo/tmp/root_public.pem -pubin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_new_signature.bin"
    And I run the Rugged command "openssl pkeyutl -verify -sigfile /var/rugged/tuf_repo/tmp/root1_new_signature.bin -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -inkey /var/rugged/tuf_repo/tmp/root1_public.pem -pubin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_new_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_new_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug show-partial-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment
      """
    When I run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
      debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
      """
    When I fail to run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      error: UnsignedMetadataError thrown in validate_<ROLE>: <ROLE> was signed by 0/1 keys
      error: Metadata for the '<ROLE>' role is not valid.
      """
    When I run the Rugged command "rugged refresh-expiry --force"
    Then I should get:
      """
      Preparing to refresh metadata expiry periods.
      Fetching all metadata from targets-worker.
      Forcing refresh of all metadata.
      Dispatching task to refresh expiring metadata on targets-worker.
      Refreshed targets metadata expiry period.
      Updated snapshot metadata.
      Updated timestamp metadata.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """

    Examples:
      | ROLE      |
      | timestamp |
      | snapshot  |
      | targets   |

3 scenarios (3 passed)
93 steps (93 passed)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.