features/tuf/root_signature_thresholds.featureRunning behat features/tuf/root_signature_thresholds.feature results in:
@rugged @commands-local @root-signature-thresholds @deploy-root-metadata @add-root-signature @gitlab-235
Feature: Root signature thresholds are respected
In order to rotate root keys
As an administrator
I need to ensure that root signature thresholds are respected
Background:
Given I reset Rugged
And local Rugged directories exist
And I run "sudo cp features/fixtures/config/root_signature_thresholds_2.yaml /var/rugged/.config/rugged/config.yaml"
And I generate a complete set of Rugged keys
And I generate complete partial root metadata
And I generate signatures of partial root metadata
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
And I run the Rugged command "rugged --debug deploy-root-metadata"
And I run the Rugged command "rugged --debug initialize --local"
And I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
Scenario: Disallow signatures from root keys that are not in N or N+1 root metadata.
When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I fail to run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
Then I should get:
"""
debug: Loading metadata for 'root' from /var/rugged/tuf_repo/partial/2.root.json.
debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/2.root.json'.
debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root2_public.pem
debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
The provided keyid was not found among new root keys: /var/rugged/tuf_repo/tmp/root2_public.pem
The provided keyid was not found among old root keys: /var/rugged/tuf_repo/tmp/root2_public.pem
error: No valid key was found for signature
"""
Scenario: Allow signatures from root keys that are in N root metadata.
When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
Then I should get:
"""
debug: Loading metadata for 'root' from /var/rugged/tuf_repo/partial/2.root.json.
debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/2.root.json'.
debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root1_public.pem
debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root1_public.pem
debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root1_public.pem
The provided keyid was not found among new root keys: /var/rugged/tuf_repo/tmp/root1_public.pem
Loading existing root metadata to verify that key exists for this signature
The provided keyid was found among old root keys
"""
Then I should not get:
"""
The provided keyid was found among new root keys
The provided keyid was not found among old root keys: /var/rugged/tuf_repo/tmp/root1_public.pem
"""
Scenario: Allow signatures from root keys that are in N+1 root metadata.
When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
Then I should get:
"""
debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root2_public.pem
debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
The provided keyid was found among new root keys
debug: Loading signature from file: /var/rugged/tuf_repo/tmp/root2_signature.bin
debug: Loaded signature from file: /var/rugged/tuf_repo/tmp/root2_signature.bin
debug: Loaded signature for
debug: Signature verified for key
debug: The provided signature
debug: Wrote signable root metadata to file '/var/rugged/tuf_repo/partial/signable-2.root.json'.
debug: Wrote 'root' metadata to file '/var/rugged/tuf_repo/partial/2.root.json'.
"""
Then I should not get:
"""
The provided keyid was not found among new root keys
The provided keyid was found among old root keys
The provided keyid was not found among old root keys
"""
Scenario: Require sufficient signatures from root keys in N and N+1 root metadata (same keys).
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 0/2 (Does not satisfy threshold)
Signatures from new keys: 0/2 (Does not satisfy threshold)
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by old keyid:
Signatures from new keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by new keyid:
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by new keyid:
Signature 2 of 2: VALID -- signed by new keyid:
"""
Scenario: Require sufficient signatures from root keys (rotate one of two keys).
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 0/2 (Does not satisfy threshold)
Signatures from new keys: 0/2 (Does not satisfy threshold)
"""
When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by old keyid:
Signatures from new keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by new keyid:
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by new keyid:
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by new keyid:
Signature 2 of 2: VALID -- signed by new keyid:
"""
Scenario: Require sufficient signatures from root keys (rotate two of two keys).
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 0/2 (Does not satisfy threshold)
Signatures from new keys: 0/2 (Does not satisfy threshold)
"""
When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(0)' -r`"
When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(0)' -r`"
When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root3_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root3_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root3_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root3_public.pem --key-type=pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by old keyid:
Signatures from new keys: 0/2 (Does not satisfy threshold)
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 0/2 (Does not satisfy threshold)
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 1/2 (Does not satisfy threshold)
Signature 1 of 1: VALID -- signed by new keyid:
"""
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root3_private.pem -out /var/rugged/tuf_repo/tmp/root3_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root3_public.pem /var/rugged/tuf_repo/tmp/root3_signature.bin --key-type=pem"
When I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
=== SIGNATURES ===
Signatures from old keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by old keyid:
Signature 2 of 2: VALID -- signed by old keyid:
Signatures from new keys: 2/2 (Satisfies threshold)
Signature 1 of 2: VALID -- signed by new keyid:
Signature 2 of 2: VALID -- signed by new keyid:
"""
Scenario: Rotate root keys and deploy updated root metadata in already-running TUF repo (2.root.json)
When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
And I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
And I run the Rugged command "rugged show-partial-root-metadata"
Then I should get:
"""
Metadata is valid for deployment
Signatures from old keys: 2/2 (Satisfies threshold)
Signatures from new keys: 2/2 (Satisfies threshold)
"""
When I run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
"""
When I run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
Metadata for the 'timestamp' role is valid.
Metadata for the 'snapshot' role is valid.
Metadata for the 'targets' role is valid.
"""
7 scenarios (7 passed)
171 steps (171 passed)