diff --git a/tests/test_developer_tool.py b/tests/test_developer_tool.py index 45514f9414..404d39f949 100755 --- a/tests/test_developer_tool.py +++ b/tests/test_developer_tool.py @@ -141,7 +141,7 @@ def test_create_new_project(self): # I will use the same key as the one provided in the repository # tool tests for the root role, but this is not a root role... root_key_path = os.path.join(keystore_path,'root_key.pub') - project_key = developer_tool.import_rsa_publickey_from_file(root_key_path) + project_key = securesystemslib.interface.import_rsa_publickey_from_file(root_key_path) # Test create new project with a key added by default. project = developer_tool.create_new_project(project_name, metadata_directory, @@ -230,7 +230,7 @@ def test_add_verification_keys(self): keystore_path = os.path.join('repository_data', 'keystore') first_verification_key_path = os.path.join(keystore_path,'root_key.pub') first_verification_key = \ - developer_tool.import_rsa_publickey_from_file(first_verification_key_path) + securesystemslib.interface.import_rsa_publickey_from_file(first_verification_key_path) project.add_verification_key(first_verification_key) @@ -238,7 +238,7 @@ def test_add_verification_keys(self): # Add another verification key (should expect exception.) second_verification_key_path = os.path.join(keystore_path, 'snapshot_key.pub') second_verification_key = \ - developer_tool.import_ed25519_publickey_from_file(second_verification_key_path) + securesystemslib.interface.import_ed25519_publickey_from_file(second_verification_key_path) self.assertRaises(securesystemslib.exceptions.Error, project.add_verification_key,(second_verification_key)) @@ -279,7 +279,7 @@ def test_write(self): keystore_path = os.path.join('repository_data', 'keystore') project_key_path = os.path.join(keystore_path, 'root_key.pub') project_key = \ - developer_tool.import_rsa_publickey_from_file(project_key_path) + securesystemslib.interface.import_rsa_publickey_from_file(project_key_path) # Call status (for the sake of doing it and to improve test coverage by @@ -292,12 +292,12 @@ def test_write(self): # Add another verification key (should expect exception.) delegation_key_path = os.path.join(keystore_path, 'snapshot_key.pub') delegation_key = \ - developer_tool.import_ed25519_publickey_from_file(delegation_key_path) + securesystemslib.interface.import_ed25519_publickey_from_file(delegation_key_path) # Add a subdelegation. subdelegation_key_path = os.path.join(keystore_path, 'timestamp_key.pub') subdelegation_key = \ - developer_tool.import_ed25519_publickey_from_file(subdelegation_key_path) + securesystemslib.interface.import_ed25519_publickey_from_file(subdelegation_key_path) # Add a delegation. project.delegate('delegation', [delegation_key], []) diff --git a/tests/test_key_revocation_integration.py b/tests/test_key_revocation_integration.py index 213b5f26ad..0a0a6ac119 100755 --- a/tests/test_key_revocation_integration.py +++ b/tests/test_key_revocation_integration.py @@ -484,7 +484,7 @@ def _load_role_keys(keystore_directory): # Import the top-level and delegated role public keys. role_keys['root']['public'] = \ - repo_tool.import_rsa_publickey_from_file(root_key_file+'.pub') + securesystemslib.interface.import_rsa_publickey_from_file(root_key_file+'.pub') role_keys['targets']['public'] = \ repo_tool.import_ed25519_publickey_from_file(targets_key_file + '.pub') role_keys['snapshot']['public'] = \ diff --git a/tests/test_repository_lib.py b/tests/test_repository_lib.py index 6eb4faa715..84d765a82f 100755 --- a/tests/test_repository_lib.py +++ b/tests/test_repository_lib.py @@ -106,13 +106,13 @@ def test_generate_and_write_rsa_keypair(self): temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) test_keypath = os.path.join(temporary_directory, 'rsa_key') - repo_lib.generate_and_write_rsa_keypair(test_keypath, password='pw') + securesystemslib.interface.generate_and_write_rsa_keypair(test_keypath, password='pw') self.assertTrue(os.path.exists(test_keypath)) self.assertTrue(os.path.exists(test_keypath + '.pub')) # Ensure the generated key files are importable. imported_pubkey = \ - repo_lib.import_rsa_publickey_from_file(test_keypath + '.pub') + securesystemslib.interface.import_rsa_publickey_from_file(test_keypath + '.pub') self.assertTrue(securesystemslib.formats.RSAKEY_SCHEMA.matches(imported_pubkey)) imported_privkey = \ @@ -122,23 +122,23 @@ def test_generate_and_write_rsa_keypair(self): # Custom 'bits' argument. os.remove(test_keypath) os.remove(test_keypath + '.pub') - repo_lib.generate_and_write_rsa_keypair(test_keypath, bits=2048, + securesystemslib.interface.generate_and_write_rsa_keypair(test_keypath, bits=2048, password='pw') self.assertTrue(os.path.exists(test_keypath)) self.assertTrue(os.path.exists(test_keypath + '.pub')) # Test improperly formatted arguments. - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.generate_and_write_rsa_keypair, + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.interface.generate_and_write_rsa_keypair, 3, bits=2048, password='pw') - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.generate_and_write_rsa_keypair, + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.interface.generate_and_write_rsa_keypair, test_keypath, bits='bad', password='pw') - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.generate_and_write_rsa_keypair, + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.interface.generate_and_write_rsa_keypair, test_keypath, bits=2048, password=3) # Test invalid 'bits' argument. - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.generate_and_write_rsa_keypair, + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.interface.generate_and_write_rsa_keypair, test_keypath, bits=1024, password='pw') @@ -188,7 +188,7 @@ def test_import_rsa_publickey_from_file(self): 'root_key.pub') self.assertTrue(os.path.exists(key_filepath)) - imported_rsa_key = repo_lib.import_rsa_publickey_from_file(key_filepath) + imported_rsa_key = securesystemslib.interface.import_rsa_publickey_from_file(key_filepath) self.assertTrue(securesystemslib.formats.RSAKEY_SCHEMA.matches(imported_rsa_key)) @@ -201,14 +201,14 @@ def test_import_rsa_publickey_from_file(self): # Non-existent key file. nonexistent_keypath = os.path.join(temporary_directory, 'nonexistent_keypath') - self.assertRaises(IOError, repo_lib.import_rsa_publickey_from_file, + self.assertRaises(IOError, securesystemslib.interface.import_rsa_publickey_from_file, nonexistent_keypath) # Invalid key file argument. invalid_keyfile = os.path.join(temporary_directory, 'invalid_keyfile') with open(invalid_keyfile, 'wb') as file_object: file_object.write(b'bad keyfile') - self.assertRaises(securesystemslib.exceptions.Error, repo_lib.import_rsa_publickey_from_file, + self.assertRaises(securesystemslib.exceptions.Error, securesystemslib.interface.import_rsa_publickey_from_file, invalid_keyfile) @@ -219,25 +219,25 @@ def test_generate_and_write_ed25519_keypair(self): temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) test_keypath = os.path.join(temporary_directory, 'ed25519_key') - repo_lib.generate_and_write_ed25519_keypair(test_keypath, password='pw') + securesystemslib.interface.generate_and_write_ed25519_keypair(test_keypath, password='pw') self.assertTrue(os.path.exists(test_keypath)) self.assertTrue(os.path.exists(test_keypath + '.pub')) # Ensure the generated key files are importable. imported_pubkey = \ - repo_lib.import_ed25519_publickey_from_file(test_keypath + '.pub') + securesystemslib.interface.import_ed25519_publickey_from_file(test_keypath + '.pub') self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_pubkey)) imported_privkey = \ - repo_lib.import_ed25519_privatekey_from_file(test_keypath, 'pw') + securesystemslib.interface.import_ed25519_privatekey_from_file(test_keypath, 'pw') self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_privkey)) # Test improperly formatted arguments. self.assertRaises(securesystemslib.exceptions.FormatError, - repo_lib.generate_and_write_ed25519_keypair, + securesystemslib.interface.generate_and_write_ed25519_keypair, 3, password='pw') - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.generate_and_write_rsa_keypair, + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.interface.generate_and_write_rsa_keypair, test_keypath, password=3) @@ -247,23 +247,23 @@ def test_import_ed25519_publickey_from_file(self): # Generate ed25519 keys that can be imported. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key') - repo_lib.generate_and_write_ed25519_keypair(ed25519_keypath, password='pw') + securesystemslib.interface.generate_and_write_ed25519_keypair(ed25519_keypath, password='pw') imported_ed25519_key = \ - repo_lib.import_ed25519_publickey_from_file(ed25519_keypath + '.pub') + securesystemslib.interface.import_ed25519_publickey_from_file(ed25519_keypath + '.pub') self.assertTrue(securesystemslib.formats.ED25519KEY_SCHEMA.matches(imported_ed25519_key)) # Test improperly formatted argument. self.assertRaises(securesystemslib.exceptions.FormatError, - repo_lib.import_ed25519_publickey_from_file, 3) + securesystemslib.interface.import_ed25519_publickey_from_file, 3) # Test invalid argument. # Non-existent key file. nonexistent_keypath = os.path.join(temporary_directory, 'nonexistent_keypath') - self.assertRaises(IOError, repo_lib.import_ed25519_publickey_from_file, + self.assertRaises(IOError, securesystemslib.interface.import_ed25519_publickey_from_file, nonexistent_keypath) # Invalid key file argument. @@ -271,7 +271,7 @@ def test_import_ed25519_publickey_from_file(self): with open(invalid_keyfile, 'wb') as file_object: file_object.write(b'bad keyfile') - self.assertRaises(securesystemslib.exceptions.Error, repo_lib.import_ed25519_publickey_from_file, + self.assertRaises(securesystemslib.exceptions.Error, securesystemslib.interface.import_ed25519_publickey_from_file, invalid_keyfile) # Invalid public key imported (contains unexpected keytype.) @@ -287,7 +287,7 @@ def test_import_ed25519_publickey_from_file(self): file_object.write(json.dumps(ed25519key_metadata_format).encode('utf-8')) self.assertRaises(securesystemslib.exceptions.FormatError, - repo_lib.import_ed25519_publickey_from_file, + securesystemslib.interface.import_ed25519_publickey_from_file, ed25519_keypath + '.pub') @@ -297,7 +297,7 @@ def test_import_ed25519_privatekey_from_file(self): # Generate ed25519 keys that can be imported. temporary_directory = tempfile.mkdtemp(dir=self.temporary_directory) ed25519_keypath = os.path.join(temporary_directory, 'ed25519_key') - repo_lib.generate_and_write_ed25519_keypair(ed25519_keypath, password='pw') + securesystemslib.interface.generate_and_write_ed25519_keypair(ed25519_keypath, password='pw') imported_ed25519_key = \ repo_lib.import_ed25519_privatekey_from_file(ed25519_keypath, 'pw') @@ -419,10 +419,10 @@ def test_get_target_hash(self): for filepath, target_hash in six.iteritems(expected_target_hashes): self.assertTrue(securesystemslib.formats.RELPATH_SCHEMA.matches(filepath)) self.assertTrue(securesystemslib.formats.HASH_SCHEMA.matches(target_hash)) - self.assertEqual(repo_lib.get_target_hash(filepath), target_hash) + self.assertEqual(securesystemslib.util.get_target_hash(filepath), target_hash) # Test for improperly formatted argument. - self.assertRaises(securesystemslib.exceptions.FormatError, repo_lib.get_target_hash, 8) + self.assertRaises(securesystemslib.exceptions.FormatError, securesystemslib.util.get_target_hash, 8) @@ -710,7 +710,7 @@ def test_sign_metadata(self): # Sign with a valid, but not a threshold, key. targets_public_keypath = os.path.join(keystore_path, 'targets_key.pub') targets_public_key = \ - repo_lib.import_ed25519_publickey_from_file(targets_public_keypath) + securesystemslib.interface.import_ed25519_publickey_from_file(targets_public_keypath) # sign_metadata() expects the private key 'root_metadata' to be in # 'tuf.keydb'. Remove any public keys that may be loaded before diff --git a/tests/test_repository_tool.py b/tests/test_repository_tool.py index b2b0827fcf..9e18ed5d95 100755 --- a/tests/test_repository_tool.py +++ b/tests/test_repository_tool.py @@ -152,7 +152,7 @@ def test_writeall(self): timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub') role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub') - root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path) + root_pubkey = securesystemslib.interface.import_rsa_publickey_from_file(root_pubkey_path) targets_pubkey = \ repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path) snapshot_pubkey = \ @@ -568,7 +568,7 @@ def test_keys(self): # Test keys() getter after a verification key has been loaded. key_path = os.path.join('repository_data', 'keystore', 'snapshot_key.pub') - key_object = repo_tool.import_ed25519_publickey_from_file(key_path) + key_object = securesystemslib.interface.import_ed25519_publickey_from_file(key_path) self.metadata.add_verification_key(key_object) keyid = key_object['keyid'] @@ -597,7 +597,7 @@ def test_signing_keys(self): def test_add_verification_key(self): # Add verification key and verify that it was added via (role).keys. key_path = os.path.join('repository_data', 'keystore', 'snapshot_key.pub') - key_object = repo_tool.import_ed25519_publickey_from_file(key_path) + key_object = securesystemslib.interface.import_ed25519_publickey_from_file(key_path) self.metadata.add_verification_key(key_object) keyid = key_object['keyid'] @@ -644,7 +644,7 @@ def test_remove_verification_key(self): # Add verification key so that remove_verifiation_key() can be tested. key_path = os.path.join('repository_data', 'keystore', 'snapshot_key.pub') - key_object = repo_tool.import_ed25519_publickey_from_file(key_path) + key_object = securesystemslib.interface.import_ed25519_publickey_from_file(key_path) self.metadata.add_verification_key(key_object) keyid = key_object['keyid'] @@ -688,7 +688,7 @@ def test_load_signing_key(self): # Test non-private key. key_path = os.path.join('repository_data', 'keystore', 'snapshot_key.pub') - key_object = repo_tool.import_ed25519_publickey_from_file(key_path) + key_object = securesystemslib.interface.import_ed25519_publickey_from_file(key_path) self.assertRaises(securesystemslib.exceptions.Error, self.metadata.load_signing_key, key_object) @@ -961,7 +961,7 @@ def test_call(self): # through __call__(). Example: {targets_object}('role1'). keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Create Targets() object to be tested. @@ -984,7 +984,7 @@ def test_get_delegated_rolenames(self): # return. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') target2_filepath = os.path.join(self.targets_directory, 'file2.txt') @@ -1024,7 +1024,7 @@ def test_delegations(self): # return. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Set needed arguments by delegate(). @@ -1200,7 +1200,7 @@ def test_delegate(self): # delegate(). keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') target2_filepath = os.path.join(self.targets_directory, 'file2.txt') @@ -1281,7 +1281,7 @@ def test_delegate_hashed_bins(self): # Test normal case. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Set needed arguments by delegate_hashed_bins(). @@ -1336,7 +1336,7 @@ def test_add_target_to_bin(self): repository_name = 'test_repository' keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'targets_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Set needed arguments by delegate_hashed_bins(). @@ -1421,7 +1421,7 @@ def test_remove_target_from_bin(self): # Delegate the hashed bins so that add_target_to_bin() can be tested. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'targets_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Set needed arguments by delegate_hashed_bins(). @@ -1477,7 +1477,7 @@ def test_add_paths(self): # path to. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) # Set needed arguments by delegate(). public_keys = [public_key] @@ -1534,7 +1534,7 @@ def test_revoke(self): # Perform a delegation so that revoke() has a delegation to revoke. keystore_directory = os.path.join('repository_data', 'keystore') public_keypath = os.path.join(keystore_directory, 'snapshot_key.pub') - public_key = repo_tool.import_ed25519_publickey_from_file(public_keypath) + public_key = securesystemslib.interface.import_ed25519_publickey_from_file(public_keypath) target1_filepath = os.path.join(self.targets_directory, 'file1.txt') # Set needed arguments by delegate(). diff --git a/tests/test_root_versioning_integration.py b/tests/test_root_versioning_integration.py index d27f208558..34547c6de8 100755 --- a/tests/test_root_versioning_integration.py +++ b/tests/test_root_versioning_integration.py @@ -121,13 +121,13 @@ def test_root_role_versioning(self): timestamp_pubkey_path = os.path.join(keystore_directory, 'timestamp_key.pub') role1_pubkey_path = os.path.join(keystore_directory, 'delegation_key.pub') - root_pubkey = repo_tool.import_rsa_publickey_from_file(root_pubkey_path) - targets_pubkey = repo_tool.import_ed25519_publickey_from_file(targets_pubkey_path) + root_pubkey = securesystemslib.interface.import_rsa_publickey_from_file(root_pubkey_path) + targets_pubkey = securesystemslib.interface.import_ed25519_publickey_from_file(targets_pubkey_path) snapshot_pubkey = \ - repo_tool.import_ed25519_publickey_from_file(snapshot_pubkey_path) + securesystemslib.interface.import_ed25519_publickey_from_file(snapshot_pubkey_path) timestamp_pubkey = \ - repo_tool.import_ed25519_publickey_from_file(timestamp_pubkey_path) - role1_pubkey = repo_tool.import_ed25519_publickey_from_file(role1_pubkey_path) + securesystemslib.interface.import_ed25519_publickey_from_file(timestamp_pubkey_path) + role1_pubkey = securesystemslib.interface.import_ed25519_publickey_from_file(role1_pubkey_path) # Load the private keys. root_privkey_path = os.path.join(keystore_directory, 'root_key') diff --git a/tuf/developer_tool.py b/tuf/developer_tool.py index 613906fc4c..d0e55d2820 100755 --- a/tuf/developer_tool.py +++ b/tuf/developer_tool.py @@ -989,18 +989,6 @@ def _strip_prefix_from_targets_metadata(targets_metadata, prefix): # Users are expected to call functions provided by repository_tool.py. We opt # for this approach, as opposed to using import statements to achieve the # equivalent, to avoid linter warnings for unused imports. -def generate_and_write_rsa_keypair(filepath, bits, password): - return repo_lib.generate_and_write_rsa_keypair(filepath, bits, password) - -def generate_and_write_ed25519_keypair(filepath, password): - return repo_lib.generate_and_write_ed25519_keypair(filepath, password) - -def import_rsa_publickey_from_file(filepath): - return repo_lib.import_rsa_publickey_from_file(filepath) - -def import_ed25519_publickey_from_file(filepath): - return repo_lib.import_ed25519_publickey_from_file(filepath) - def import_rsa_privatekey_from_file(filepath, password): return repo_lib.import_rsa_privatekey_from_file(filepath, password) diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index a2b56567fe..e0750748be 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -750,43 +750,6 @@ def _log_warning_if_expires_soon(rolename, expires_iso8601_timestamp, - -def generate_and_write_rsa_keypair(filepath, bits=DEFAULT_RSA_KEY_BITS, - password=None): - """ - - Generate an RSA key file, create an encrypted PEM string (using 'password' - as the pass phrase), and store it in 'filepath'. The public key portion of - the generated RSA key is stored in <'filepath'>.pub. - - - filepath: - The public and private key files are saved to .pub, , - respectively. - - bits: - The number of bits of the generated RSA key. - - password: - The password used to encrypt 'filepath'. - - - securesystemslib.exceptions.FormatError, if the arguments are improperly - formatted. - - - Writes key files to '' and '.pub'. - - - None. - """ - - securesystemslib.interface.generate_and_write_rsa_keypair( - filepath, bits, password) - - - - def import_rsa_privatekey_from_file(filepath, password=None): """ @@ -838,114 +801,6 @@ def import_rsa_privatekey_from_file(filepath, password=None): - -def import_rsa_publickey_from_file(filepath): - """ - - Import the RSA key stored in 'filepath'. The key object returned is a TUF - key, specifically 'securesystemslib.RSAKEY_SCHEMA'. If the RSA PEM - in 'filepath' contains a private key, it is discarded. - - - filepath: - .pub file, an RSA PEM file. - - - securesystemslib.exceptions.FormatError, if 'filepath' is improperly formatted. - - securesystemslib.exceptions.Error, if a valid RSA key object cannot be - generated. This may be caused by an improperly formatted PEM file. - - - 'filepath' is read and its contents extracted. - - - An RSA key object conformant to 'securesystemslib.RSAKEY_SCHEMA'. - """ - - return securesystemslib.interface.import_rsa_publickey_from_file(filepath) - - - - - -def generate_and_write_ed25519_keypair(filepath, password=None): - """ - - Generate an Ed25519 key file, create an encrypted TUF key (using 'password' - as the pass phrase), and store it in 'filepath'. The public key portion of - the generated ED25519 key is stored in <'filepath'>.pub. Which cryptography - library performs the cryptographic decryption is determined by the string - set in 'settings.ED25519_CRYPTO_LIBRARY'. - - The Ed25519 private key is encrypted with AES-256 and CTR the mode of - operation. The password is strengthened with PBKDF2-HMAC-SHA256. - - - filepath: - The public and private key files are saved to .pub and - , respectively. - - password: - The password, or passphrase, to encrypt the private portion of the - generated ed25519 key. A symmetric encryption key is derived from - 'password', so it is not directly used. - - - securesystemslib.exceptions.FormatError, if the arguments are improperly - formatted. - - securesystemslib.exceptions.CryptoError, if 'filepath' cannot be encrypted. - - securesystemslib.exceptions.UnsupportedLibraryError, if 'filepath' cannot be - encrypted due to an invalid configuration setting (i.e., invalid - 'tuf.settings.py' setting). - - - Writes key files to '' and '.pub'. - - - None. - """ - - securesystemslib.interface.generate_and_write_ed25519_keypair( - filepath, password) - - - - - -def import_ed25519_publickey_from_file(filepath): - """ - - Load the ED25519 public key object (conformant to - 'securesystemslib.KEY_SCHEMA') stored in 'filepath'. Return - 'filepath' in securesystemslib.ED25519KEY_SCHEMA format. - - If the TUF key object in 'filepath' contains a private key, it is discarded. - - - filepath: - .pub file, a TUF public key file. - - - securesystemslib.exceptions.FormatError, if 'filepath' is improperly - formatted or is an unexpected key type. - - - The contents of 'filepath' is read and saved. - - - An ED25519 key object conformant to - 'securesystemslib.ED25519KEY_SCHEMA'. - """ - - return securesystemslib.interface.import_ed25519_publickey_from_file(filepath) - - - - - def import_ed25519_privatekey_from_file(filepath, password=None): """ @@ -1173,39 +1028,6 @@ def get_metadata_versioninfo(rolename, repository_name): - -def get_target_hash(target_filepath): - """ - - Compute the hash of 'target_filepath'. This is useful in conjunction with - the "path_hash_prefixes" attribute in a delegated targets role, which - tells us which paths it is implicitly responsible for. - - The repository may optionally organize targets into hashed bins to ease - target delegations and role metadata management. The use of consistent - hashing allows for a uniform distribution of targets into bins. - - - target_filepath: - The path to the target file on the repository. This will be relative to - the 'targets' (or equivalent) directory on a given mirror. - - - None. - - - None. - - - The hash of 'target_filepath'. - """ - - return securesystemslib.util.get_target_hash(target_filepath) - - - - - def generate_root_metadata(version, expiration_date, consistent_snapshot, repository_name='default'): """ diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 9f5a4158a5..de3e1a90c0 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -3157,29 +3157,22 @@ def append_signature(signature, metadata_filepath): # Users are expected to call functions provided by repository_tool.py. We opt # for wrapper functions, instead of using the import statements to achieve the # equivalent, to avoid linter warnings for unused imports. -def generate_and_write_ed25519_keypair(filepath=None, password=None): - return repo_lib.generate_and_write_ed25519_keypair(filepath, password) - def generate_ed25519_key(scheme='ed25519'): return securesystemslib.keys.generate_ed25519_key(scheme) def import_ed25519_publickey_from_file(filepath): - return repo_lib.import_ed25519_publickey_from_file(filepath) + return securesystemslib.interface.import_ed25519_publickey_from_file(filepath) def import_ed25519_privatekey_from_file(filepath, password=None): return repo_lib.import_ed25519_privatekey_from_file(filepath, password) # NOTE: securesystemslib cannot presently import an Ed25519 key from PEM. -def generate_and_write_rsa_keypair(filepath=None, - bits=repo_lib.DEFAULT_RSA_KEY_BITS, password=None): - return repo_lib.generate_and_write_rsa_keypair(filepath, bits, password) - def generate_rsa_key(bits=DEFAULT_RSA_KEY_BITS, scheme='rsassa-pss-sha256'): return securesystemslib.keys.generate_rsa_key(bits, scheme) def import_rsa_publickey_from_file(filepath): - return repo_lib.import_rsa_publickey_from_file(filepath) + return securesystemslib.interface.import_rsa_publickey_from_file(filepath) def import_rsa_privatekey_from_file(filepath, password=None): return repo_lib.import_rsa_privatekey_from_file(filepath, password) diff --git a/tuf/scripts/repo.py b/tuf/scripts/repo.py index 6689a42b98..67c438d96c 100755 --- a/tuf/scripts/repo.py +++ b/tuf/scripts/repo.py @@ -48,85 +48,85 @@ [--role --sign ] $ repo.py --verbose <0-5> $ repo.py --clean [--path] - + --init: Create new TUF repository in current working or specified directory. - + --consistent: Enable consistent snapshots for newly created TUF repository. - + --bare: Specify creation of bare TUF repository with no key created or set. - + --path: Choose specified path location of a TUF repository or key(s). - + --role: Specify top-level role(s) affected by the main command-line option. - + --pubkeys: Indicate location of key(s) affected by the main command-line option. - + --root_pw: Set password for encrypting top-level key file of root role. - + --targets_pw: Set password for encrypting top-level key file of targets role. - + --snapshot_pw: Set password for encrypting top-level key file of snapshot role. - + --timestamp_pw: Set password for encrypting top-level key file of timestamp role. - + --add: Add file specified by to the Targets metadata. - + --recursive: Include files in subdirectories of specified directory . - + --remove: Remove target files from Targets metadata matching . - + --distrust: Discontinue trust of keys located in directory of a role. - + --trust: Indicate trusted keys located in directory of a role. - - --sign: + + --sign: Sign metadata of target role(s) with keys in specified directory. - + --key: Generate cryptographic key of specified type (default: Ed25519). - + --filename: Specify filename associated with generated top-level key. - + --pw: Set password for the generated key of specified type . - + --delegate: Delegate trust of target files from Targets role (or specified in --role) to --delegatee role with specified . - + --delegatee: Specify role that is targetted by delegator in --role to sign for target files matching delegated or in revocation of trust. - + --terminating: Mark delegation to --delegatee role from delegator as a terminating one. - + --threshold: Specify signature threshold of --delegatee role as the value . - + --revoke: Revoke trust of target files from delegated role (--delegatee) - + --verbose: Set the verbosity level of logging messages. Accepts values 1-5. - + --clean: Delete repo in current working or specified directory. """ @@ -899,16 +899,16 @@ def set_top_level_keys(repository, parsed_arguments): parsed_arguments.pw = securesystemslib.interface.get_password( prompt='Enter a password for the top-level role keys: ', confirm=True) - repo_tool.generate_and_write_ed25519_keypair( + securesystemslib.interface.generate_and_write_ed25519_keypair( os.path.join(parsed_arguments.path, KEYSTORE_DIR, ROOT_KEY_NAME), password=parsed_arguments.root_pw) - repo_tool.generate_and_write_ed25519_keypair( + securesystemslib.interface.generate_and_write_ed25519_keypair( os.path.join(parsed_arguments.path, KEYSTORE_DIR, TARGETS_KEY_NAME), password=parsed_arguments.targets_pw) - repo_tool.generate_and_write_ed25519_keypair( + securesystemslib.interface.generate_and_write_ed25519_keypair( os.path.join(parsed_arguments.path, KEYSTORE_DIR, SNAPSHOT_KEY_NAME), password=parsed_arguments.snapshot_pw) - repo_tool.generate_and_write_ed25519_keypair( + securesystemslib.interface.generate_and_write_ed25519_keypair( os.path.join(parsed_arguments.path, KEYSTORE_DIR, TIMESTAMP_KEY_NAME), password=parsed_arguments.timestamp_pw)