Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changed deprecated keys and used cryptosigner #75

Merged
merged 6 commits into from
May 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ directory and perform the step.

```shell
cd ../functionary_bob
in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git
in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git
```

Here is what happens behind the scenes:
Expand All @@ -124,7 +124,7 @@ So first Bob records the state of the files he will modify:

```shell
# In functionary_bob directory
in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py
in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py
```

Then Bob uses an editor of his choice to update the version number in `demo-project/foo.py`, e.g.:
Expand All @@ -137,7 +137,7 @@ And finally he records the state of files after the modification and produces
a link metadata file called `update-version.[Bob's keyid].link`.
```shell
# In functionary_bob directory
in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py
in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py
```

Bob has done his work and can send over the sources to Carl, who will create
Expand All @@ -154,7 +154,7 @@ to change to Carl's directory and create a package of the software project

```shell
cd ../functionary_carl
in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
```

This will create another step link metadata file, called `package.[Carl's keyid].link`.
Expand All @@ -167,15 +167,15 @@ our software package `demo-project.tar.gz` and the related metadata files `root.
`clone.[Bob's keyid].link`, `update-version.[Bob's keyid].link` and `package.[Carl's keyid].link`:
```shell
cd ..
cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
```
And now run verification on behalf of the client:
```shell
cd final_product
# Fetch Alice's public key from a trusted source to verify the layout signature
# Note: The functionary public keys are fetched from the layout
cp ../owner_alice/alice.pub .
in-toto-verify --layout root.layout --layout-key alice.pub
in-toto-verify --layout root.layout --verification-keys alice.pub
```
This command will verify that
1. the layout has not expired,
Expand Down Expand Up @@ -208,19 +208,19 @@ Carl thought that this is the genuine code he got from Bob and
unwittingly packages the tampered version of foo.py

```shell
in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
```
and ships everything out as final product to the client:
```shell
cd ..
cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
```

### Verifying the malicious product

```shell
cd final_product
in-toto-verify --layout root.layout --layout-key alice.pub
in-toto-verify --layout root.layout --verification-keys alice.pub
```
This time, in-toto will detect that the product `foo.py` from Bob's `update-version`
step was not used as material in Carl's `package` step (the verified hashes
Expand Down
17 changes: 10 additions & 7 deletions owner_alice/create_layout.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
from securesystemslib import interface
from securesystemslib.signer import SSlibSigner
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from securesystemslib.signer import CryptoSigner
from in_toto.models.layout import Layout
from in_toto.models.metadata import Envelope

# https://github.com/in-toto/in-toto/issues/663
from in_toto.models._signer import load_public_key_from_file
def main():
# Load Alice's private key to later sign the layout
key_alice = interface.import_rsa_privatekey_from_file("alice")
signer_alice = SSlibSigner(key_alice)
with open("alice", "rb") as f:
key_alice = load_pem_private_key(f.read(), None)

signer_alice = CryptoSigner(key_alice)
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
key_bob = interface.import_rsa_publickey_from_file("../functionary_bob/bob.pub")
key_carl = interface.import_rsa_publickey_from_file("../functionary_carl/carl.pub")
key_bob = load_public_key_from_file("../functionary_bob/bob.pub")
key_carl = load_public_key_from_file("../functionary_carl/carl.pub")

layout = Layout.read({
"_type": "layout",
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
in-toto==2.3.0
cryptography==42.0.7
38 changes: 19 additions & 19 deletions run_demo.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ def supply_chain():
" --verbose"
" --use-dsse"
" --step-name clone --products demo-project/foo.py"
" --key bob -- git clone https://github.com/in-toto/demo-project.git")
" --signing-key bob -- git clone https://github.com/in-toto/demo-project.git")
print(clone_cmd)
subprocess.call(shlex.split(clone_cmd))

Expand All @@ -43,7 +43,7 @@ def supply_chain():
" --verbose"
" --use-dsse"
" --step-name update-version"
" --key bob"
" --signing-key bob"
" --materials demo-project/foo.py")

print(update_version_start_cmd)
Expand All @@ -58,7 +58,7 @@ def supply_chain():
" --verbose"
" --use-dsse"
" --step-name update-version"
" --key bob"
" --signing-key bob"
" --products demo-project/foo.py")

print(update_version_stop_cmd)
Expand All @@ -73,7 +73,7 @@ def supply_chain():
" --use-dsse"
" --step-name package --materials demo-project/foo.py"
" --products demo-project.tar.gz"
" --key carl --record-streams"
" --signing-key carl --record-streams"
" -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
print(package_cmd)
subprocess.call(shlex.split(package_cmd))
Expand All @@ -82,9 +82,9 @@ def supply_chain():
prompt_key("Create final product")
os.chdir("..")
copyfile("owner_alice/root.layout", "final_product/root.layout")
copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link")
copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link")
copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link")
copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link")
copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link")
copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link")
copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz")


Expand All @@ -94,7 +94,7 @@ def supply_chain():
verify_cmd = ("in-toto-verify"
" --verbose"
" --layout root.layout"
" --layout-key alice.pub")
" --verification-keys alice.pub")
print(verify_cmd)
retval = subprocess.call(shlex.split(verify_cmd))
print("Return value: " + str(retval))
Expand All @@ -115,7 +115,7 @@ def supply_chain():
" --use-dsse"
" --step-name package --materials demo-project/foo.py"
" --products demo-project.tar.gz"
" --key carl --record-streams"
" --signing-key carl --record-streams"
" -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
print(package_cmd)
subprocess.call(shlex.split(package_cmd))
Expand All @@ -124,9 +124,9 @@ def supply_chain():
prompt_key("Create final product")
os.chdir("..")
copyfile("owner_alice/root.layout", "final_product/root.layout")
copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link")
copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link")
copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link")
copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link")
copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link")
copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link")
copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz")


Expand All @@ -136,7 +136,7 @@ def supply_chain():
verify_cmd = ("in-toto-verify"
" --verbose"
" --layout root.layout"
" --layout-key alice.pub")
" --verification-keys alice.pub")

print(verify_cmd)
retval = subprocess.call(shlex.split(verify_cmd))
Expand All @@ -154,17 +154,17 @@ def main():
if args.clean:
files_to_delete = [
"owner_alice/root.layout",
"functionary_bob/clone.776a00e2.link",
"functionary_bob/update-version.776a00e2.link",
"functionary_bob/clone.210dcc50.link",
"functionary_bob/update-version.210dcc50.link",
"functionary_bob/demo-project",
"functionary_carl/package.2f89b927.link",
"functionary_carl/package.be06db20.link",
"functionary_carl/demo-project.tar.gz",
"functionary_carl/demo-project",
"final_product/alice.pub",
"final_product/demo-project.tar.gz",
"final_product/package.2f89b927.link",
"final_product/clone.776a00e2.link",
"final_product/update-version.776a00e2.link",
"final_product/package.be06db20.link",
"final_product/clone.210dcc50.link",
"final_product/update-version.210dcc50.link",
"final_product/untar.link",
"final_product/root.layout",
"final_product/demo-project",
Expand Down
25 changes: 9 additions & 16 deletions run_demo_md.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,35 +40,28 @@
+ python create_layout.py
Created demo in-toto layout as "root.layout".
+ cd ../functionary_bob
+ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git
'-k', '--key' is deprecated, use '--signing-key' instead.
+ in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py
'-k', '--key' is deprecated, use '--signing-key' instead.
+ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git
+ in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py
+ sed -i.bak s/v0/v1/ demo-project/foo.py
+ rm demo-project/foo.py.bak
+ in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py
'-k', '--key' is deprecated, use '--signing-key' instead.
+ in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py
+ cp -r demo-project ../functionary_carl/
+ cd ../functionary_carl
+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
'-k', '--key' is deprecated, use '--signing-key' instead.
+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
+ cd ..
+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
+ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
+ cd final_product
+ cp ../owner_alice/alice.pub .
+ in-toto-verify --layout root.layout --layout-key alice.pub
'-k', '--layout-keys' is deprecated, use '--verification-keys' instead.
+ in-toto-verify --layout root.layout --verification-keys alice.pub
+ echo 0
0
+ cd ../functionary_carl
+ echo something evil
+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
'-k', '--key' is deprecated, use '--signing-key' instead.
+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
+ cd ..
+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
+ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
+ cd final_product
+ in-toto-verify --layout root.layout --layout-key alice.pub
'-k', '--layout-keys' is deprecated, use '--verification-keys' instead.
+ in-toto-verify --layout root.layout --verification-keys alice.pub
(in-toto-verify) RuleVerificationError: 'DISALLOW *' matched the following artifacts: ['demo-project/foo.py']
Full trace for 'expected_materials' of item 'package':
Available materials (used for queue):
Expand Down