Feature: Root signature thresholds are respected

Test results for features/tuf/root_signature_thresholds.feature

Running behat features/tuf/root_signature_thresholds.feature results in:

@rugged @commands-local @root-signature-thresholds @deploy-root-metadata @add-root-signature @gitlab-235
Feature: Root signature thresholds are respected
  In order to rotate root keys
  As an administrator
  I need to ensure that root signature thresholds are respected

  Background:
    Given I reset Rugged
    And local Rugged directories exist
    And I run "sudo cp features/fixtures/config/root_signature_thresholds_2.yaml /var/rugged/.config/rugged/config.yaml"
    And I generate a complete set of Rugged keys
    And I generate complete partial root metadata
    And I generate signatures of partial root metadata
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "rugged --debug deploy-root-metadata"
    And I run the Rugged command "rugged --debug initialize --local"
    And I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"

  Scenario: Disallow signatures from root keys that are not in N or N+1 root metadata.
    When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I fail to run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    Then I should get:
      """
      debug: Loading metadata for 'root' from /var/rugged/tuf_repo/partial/2.root.json.
      debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/2.root.json'.
      debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root2_public.pem
      debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
      debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
      The provided keyid was not found among new root keys: /var/rugged/tuf_repo/tmp/root2_public.pem
      The provided keyid was not found among old root keys: /var/rugged/tuf_repo/tmp/root2_public.pem
      error: No valid key was found for signature
      """

  Scenario: Allow signatures from root keys that are in N root metadata.
    When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    Then I should get:
      """
      debug: Loading metadata for 'root' from /var/rugged/tuf_repo/partial/2.root.json.
      debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/2.root.json'.
      debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root1_public.pem
      debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root1_public.pem
      debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root1_public.pem
      The provided keyid was not found among new root keys: /var/rugged/tuf_repo/tmp/root1_public.pem
      Loading existing root metadata to verify that key exists for this signature
      The provided keyid was found among old root keys
      """
    Then I should not get:
      """
      The provided keyid was found among new root keys
      The provided keyid was not found among old root keys: /var/rugged/tuf_repo/tmp/root1_public.pem
      """

  Scenario: Allow signatures from root keys that are in N+1 root metadata.
    When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    Then I should get:
      """
      debug: Checking validity of verification key: /var/rugged/tuf_repo/tmp/root2_public.pem
      debug: Loading PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
      debug: Loaded PEM-encoded public key from: /var/rugged/tuf_repo/tmp/root2_public.pem
      The provided keyid was found among new root keys
      debug: Loading signature from file: /var/rugged/tuf_repo/tmp/root2_signature.bin
      debug: Loaded signature from file: /var/rugged/tuf_repo/tmp/root2_signature.bin
      debug: Loaded signature for
      debug: Signature verified for key
      debug: The provided signature
      debug: Wrote signable root metadata to file '/var/rugged/tuf_repo/partial/signable-2.root.json'.
      debug: Wrote 'root' metadata to file '/var/rugged/tuf_repo/partial/2.root.json'.
      """
    Then I should not get:
      """
      The provided keyid was not found among new root keys
      The provided keyid was found among old root keys
      The provided keyid was not found among old root keys
      """

  Scenario: Require sufficient signatures from root keys in N and N+1 root metadata (same keys).
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 0/2 (Does not satisfy threshold)
      Signatures from new keys: 0/2 (Does not satisfy threshold)
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by old keyid:
      Signatures from new keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by new keyid:
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by new keyid:
        Signature 2 of 2: VALID -- signed by new keyid:
      """

  Scenario: Require sufficient signatures from root keys (rotate one of two keys).
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 0/2 (Does not satisfy threshold)
      Signatures from new keys: 0/2 (Does not satisfy threshold)
      """
    When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
    When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by old keyid:
      Signatures from new keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by new keyid:
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by new keyid:
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by new keyid:
        Signature 2 of 2: VALID -- signed by new keyid:
      """

  Scenario: Require sufficient signatures from root keys (rotate two of two keys).
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 0/2 (Does not satisfy threshold)
      Signatures from new keys: 0/2 (Does not satisfy threshold)
      """
    When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(0)' -r`"
    When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(0)' -r`"
    When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
    When I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root3_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root3_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root3_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root3_public.pem --key-type=pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by old keyid:
      Signatures from new keys: 0/2 (Does not satisfy threshold)
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 0/2 (Does not satisfy threshold)
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 1/2 (Does not satisfy threshold)
        Signature 1 of 1: VALID -- signed by new keyid:
      """
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root3_private.pem -out /var/rugged/tuf_repo/tmp/root3_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root3_public.pem /var/rugged/tuf_repo/tmp/root3_signature.bin --key-type=pem"
    When I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      === SIGNATURES ===
      Signatures from old keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by old keyid:
        Signature 2 of 2: VALID -- signed by old keyid:
      Signatures from new keys: 2/2 (Satisfies threshold)
        Signature 1 of 2: VALID -- signed by new keyid:
        Signature 2 of 2: VALID -- signed by new keyid:
      """

  Scenario: Rotate root keys and deploy updated root metadata in already-running TUF repo (2.root.json)
    When I run the Rugged command "rugged --debug remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.root.keyids | jq 'nth(1)' -r`"
    And I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    And I run the Rugged command "rugged show-partial-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment
      Signatures from old keys: 2/2 (Satisfies threshold)
      Signatures from new keys: 2/2 (Satisfies threshold)
      """
    When I run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
      debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """

7 scenarios (7 passed)
171 steps (171 passed)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.