Exemple #1
0
// We cannot validate a new root if the old root is corrupt, because there might
// have been a root key rotation.
func TestValidateOldRootCorruptRootRole(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	// so a valid root, but missing the root role
	signedRoot, err := data.RootFromSigned(r)
	require.NoError(t, err)
	delete(signedRoot.Signed.Roles, data.CanonicalRootRole)
	badRootJSON, err := json.Marshal(signedRoot)
	require.NoError(t, err)
	badRoot := storage.MetaUpdate{
		Version: root.Version,
		Role:    root.Role,
		Data:    badRootJSON,
	}
	store.UpdateCurrent(gun, badRoot)
	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, data.ErrInvalidMetadata{}, err)
}
Exemple #2
0
func TestValidateSnapshotGeneratePrevCorrupt(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()
	snapRole, err := repo.GetBaseRole(data.CanonicalSnapshotRole)
	require.NoError(t, err)

	for _, k := range snapRole.Keys {
		err := store.SetKey(gun, data.CanonicalSnapshotRole, k.Algorithm(), k.Public())
		require.NoError(t, err)
	}

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets}

	// corrupt the JSON structure of prev snapshot
	snapshot.Data = snapshot.Data[1:]
	// set the current snapshot in the store manually so we find it when generating
	// the next version
	store.UpdateCurrent(gun, snapshot)

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole, data.CanonicalSnapshotRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, &json.SyntaxError{}, err)
}
Exemple #3
0
func TestValidatePrevTimestamp(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot}

	store := storage.NewMemStorage()
	store.UpdateCurrent(gun, timestamp)

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	updates, err = validateUpdate(serverCrypto, gun, updates, store)
	require.NoError(t, err)

	// we generated our own timestamp, and did not take the other timestamp,
	// but all other metadata should come from updates
	var foundTimestamp bool
	for _, update := range updates {
		if update.Role == data.CanonicalTimestampRole {
			foundTimestamp = true
			oldTimestamp, newTimestamp := &data.SignedTimestamp{}, &data.SignedTimestamp{}
			require.NoError(t, json.Unmarshal(timestamp.Data, oldTimestamp))
			require.NoError(t, json.Unmarshal(update.Data, newTimestamp))
			require.Equal(t, oldTimestamp.Signed.Version+1, newTimestamp.Signed.Version)
		}
	}
	require.True(t, foundTimestamp)
}
Exemple #4
0
// Store is broken when getting the current snapshot
func TestValidateSnapshotGenerateStoreGetCurrentSnapshotBroken(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := getFailStore{
		MetaStore:    storage.NewMemStorage(),
		errsToReturn: map[string]error{data.CanonicalSnapshotRole: data.ErrNoSuchRole{}},
	}
	snapRole, err := repo.GetBaseRole(data.CanonicalSnapshotRole)
	require.NoError(t, err)

	for _, k := range snapRole.Keys {
		err := store.SetKey(gun, data.CanonicalSnapshotRole, k.Algorithm(), k.Public())
		require.NoError(t, err)
	}

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, _, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole, data.CanonicalSnapshotRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, data.ErrNoSuchRole{}, err)
}
Exemple #5
0
func TestValidateSnapshotGenerate(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()
	snapRole, err := repo.GetBaseRole(data.CanonicalSnapshotRole)
	require.NoError(t, err)

	for _, k := range snapRole.Keys {
		err := store.SetKey(gun, data.CanonicalSnapshotRole, k.Algorithm(), k.Public())
		require.NoError(t, err)
	}

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, _, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{targets}

	store.UpdateCurrent(gun, root)

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole, data.CanonicalSnapshotRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.NoError(t, err)
}
Exemple #6
0
func TestValidateTargetsModifiedHash(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)

	snap, err := data.SnapshotFromSigned(sn)
	require.NoError(t, err)
	snap.Signed.Meta["targets"].Hashes["sha256"][0] = snap.Signed.Meta["targets"].Hashes["sha256"][0] ^ 0xff

	sn, err = snap.ToSigned()
	require.NoError(t, err)

	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadSnapshot{}, err)
}
Exemple #7
0
func TestValidateRootCanContainOnlyx509KeysWithRightGun(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo("wrong/gun")
	require.NoError(t, err)
	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)

	// if the root has the wrong gun, the server will fail to validate
	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	_, err = validateUpdate(serverCrypto, gun,
		[]storage.MetaUpdate{root, targets, snapshot, timestamp},
		storage.NewMemStorage())
	require.Error(t, err)
	require.IsType(t, validation.ErrBadRoot{}, err)

	// create regular non-x509 keys - change the root keys to one that is not
	// an x509 key - it should also fail to validate
	newRootKey, err := cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
	require.NoError(t, err)
	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, newRootKey))

	r, tg, sn, ts, err = testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	_, err = validateUpdate(serverCrypto, gun,
		[]storage.MetaUpdate{root, targets, snapshot, timestamp},
		storage.NewMemStorage())
	require.Error(t, err)
	require.IsType(t, validation.ErrBadRoot{}, err)
}
Exemple #8
0
// ### Snapshot size mismatch negative tests ###
func TestValidateRootModifiedSize(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)

	// add another copy of the signature so the hash is different
	r.Signatures = append(r.Signatures, r.Signatures[0])

	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	// flip all the bits in the first byte
	root.Data[0] = root.Data[0] ^ 0xff

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadRoot{}, err)
}
Exemple #9
0
// If the timestamp role has a threshold > 1, validation fails.
func TestValidateRootInvalidTimestampThreshold(t *testing.T) {
	gun := "docker.com/notary"
	oldRepo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)

	tsKey2, err := testutils.CreateKey(cs, gun, "timestamp2", data.ECDSAKey)
	require.NoError(t, err)
	oldRepo.AddBaseKeys(data.CanonicalTimestampRole, tsKey2)
	tsRole, ok := oldRepo.Root.Signed.Roles[data.CanonicalTimestampRole]
	require.True(t, ok)
	tsRole.Threshold = 2

	r, tg, sn, ts, err := testutils.Sign(oldRepo)
	require.NoError(t, err)
	root, targets, snapshot, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	store := storage.NewMemStorage()
	updates := []storage.MetaUpdate{root, targets, snapshot}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadRoot{}, err)
}
Exemple #10
0
func TestValidateOldRoot(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	store.UpdateCurrent(gun, root)
	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.NoError(t, err)
}
Exemple #11
0
func TestValidateSnapshotMissingNoSnapshotKey(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, _, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadHierarchy{}, err)
}
Exemple #12
0
func TestValidateTargetsRoleMissing(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	delete(repo.Root.Signed.Roles, "targets")

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadRoot{}, err)
}
Exemple #13
0
func TestValidateSnapshotGenerateWithPrev(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()
	snapRole, err := repo.GetBaseRole(data.CanonicalSnapshotRole)
	require.NoError(t, err)

	for _, k := range snapRole.Keys {
		err := store.SetKey(gun, data.CanonicalSnapshotRole, k.Algorithm(), k.Public())
		require.NoError(t, err)
	}

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, _, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets}

	// set the current snapshot in the store manually so we find it when generating
	// the next version
	store.UpdateCurrent(gun, snapshot)

	prev, err := data.SnapshotFromSigned(sn)
	require.NoError(t, err)

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole, data.CanonicalSnapshotRole)
	updates, err = validateUpdate(serverCrypto, gun, updates, store)
	require.NoError(t, err)

	for _, u := range updates {
		if u.Role == data.CanonicalSnapshotRole {
			curr := &data.SignedSnapshot{}
			err = json.Unmarshal(u.Data, curr)
			require.NoError(t, err)
			require.Equal(t, prev.Signed.Version+1, curr.Signed.Version)
			require.Equal(t, u.Version, curr.Signed.Version)
		}
	}
}
Exemple #14
0
// We cannot validate a new root if we cannot get the old root from the DB (
// and cannot detect whether there was an old root or not), because there might
// have been an old root and we can't determine if the new root represents a
// root key rotation.
func TestValidateRootGetCurrentRootBroken(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := getFailStore{
		MetaStore:    storage.NewMemStorage(),
		errsToReturn: map[string]error{data.CanonicalRootRole: data.ErrNoSuchRole{}},
	}

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, data.ErrNoSuchRole{}, err)
}
Exemple #15
0
func TestValidateSnapshotCorrupt(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	// flip all the bits in the first byte
	snapshot.Data[0] = snapshot.Data[0] ^ 0xff

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, validation.ErrBadSnapshot{}, err)
}
Exemple #16
0
func TestValidatePreviousTimestampCorrupt(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot}

	// have corrupt timestamp data in the storage already
	store := storage.NewMemStorage()
	timestamp.Data = timestamp.Data[1:]
	store.UpdateCurrent(gun, timestamp)

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, &json.SyntaxError{}, err)
}
Exemple #17
0
func TestValidateEmptyNew(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	updates, err = validateUpdate(serverCrypto, gun, updates, store)
	require.NoError(t, err)

	// we generated our own timestamp, and did not take the other timestamp,
	// but all other metadata should come from updates
	founds := make(map[string]bool)
	for _, update := range updates {
		switch update.Role {
		case data.CanonicalRootRole:
			require.True(t, bytes.Equal(update.Data, root.Data))
			founds[data.CanonicalRootRole] = true
		case data.CanonicalSnapshotRole:
			require.True(t, bytes.Equal(update.Data, snapshot.Data))
			founds[data.CanonicalSnapshotRole] = true
		case data.CanonicalTargetsRole:
			require.True(t, bytes.Equal(update.Data, targets.Data))
			founds[data.CanonicalTargetsRole] = true
		case data.CanonicalTimestampRole:
			require.False(t, bytes.Equal(update.Data, timestamp.Data))
			founds[data.CanonicalTimestampRole] = true
		}
	}
	require.Len(t, founds, 4)
}
Exemple #18
0
// If any role has a threshold < 1, validation fails
func TestValidateRootInvalidZeroThreshold(t *testing.T) {
	for _, role := range data.BaseRoles {
		gun := "docker.com/notary"
		oldRepo, cs, err := testutils.EmptyRepo(gun)
		require.NoError(t, err)
		tsRole, ok := oldRepo.Root.Signed.Roles[role]
		require.True(t, ok)
		tsRole.Threshold = 0

		r, tg, sn, ts, err := testutils.Sign(oldRepo)
		require.NoError(t, err)
		root, targets, snapshot, _, err := getUpdates(r, tg, sn, ts)
		require.NoError(t, err)

		store := storage.NewMemStorage()
		updates := []storage.MetaUpdate{root, targets, snapshot}

		serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
		_, err = validateUpdate(serverCrypto, gun, updates, store)
		require.Error(t, err)
		require.Contains(t, err.Error(), "invalid threshold")
	}
}
Exemple #19
0
func TestValidateOldRootCorrupt(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	badRoot := storage.MetaUpdate{
		Version: root.Version,
		Role:    root.Role,
		Data:    root.Data[1:],
	}
	store.UpdateCurrent(gun, badRoot)
	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}

	serverCrypto := testutils.CopyKeys(t, cs, data.CanonicalTimestampRole)
	_, err = validateUpdate(serverCrypto, gun, updates, store)
	require.Error(t, err)
	require.IsType(t, &json.SyntaxError{}, err)
}
Exemple #20
0
// A root rotation must be signed with old and new root keys such that it satisfies
// the old and new roles, otherwise the new root fails to validate
func TestRootRotationNotSignedWithOldKeysForOldRole(t *testing.T) {
	gun := "docker.com/notary"
	repo, crypto, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	store := storage.NewMemStorage()
	serverCrypto := testutils.CopyKeys(t, crypto, data.CanonicalTimestampRole)

	oldRootKeyID := repo.Root.Signed.Roles[data.CanonicalRootRole].KeyIDs[0]

	// make the original root have 2 keys with a threshold of 2
	pairedRootKeys := make([]data.PublicKey, 2)
	for i := 0; i < len(pairedRootKeys); i++ {
		pairedRootKeys[i], err = testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
		require.NoError(t, err)
	}
	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, pairedRootKeys...))
	repo.Root.Signed.Roles[data.CanonicalRootRole].Threshold = 2

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	require.Len(t, r.Signatures, 3)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}
	require.NoError(t, store.UpdateMany(gun, updates))

	finalRootKey, err := testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
	require.NoError(t, err)
	repo.Root.Signed.Roles[data.CanonicalRootRole].Threshold = 1
	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, finalRootKey))

	r, err = repo.SignRoot(data.DefaultExpires(data.CanonicalRootRole))
	require.NoError(t, err)
	origSigs := r.Signatures

	// make sure it's signed with only one of the previous keys and the new key
	sigs := make([]data.Signature, 0, 2)
	for _, sig := range origSigs {
		if sig.KeyID == pairedRootKeys[0].ID() || sig.KeyID == finalRootKey.ID() {
			sigs = append(sigs, sig)
		}
	}
	require.Len(t, sigs, 2)
	repo.Root.Signatures = sigs
	r.Signatures = sigs

	sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	_, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.Error(t, err)
	require.Contains(t, err.Error(), "could not rotate trust to a new trusted root")

	// now sign with both of the pair and the new one
	sigs = make([]data.Signature, 0, 3)
	for _, sig := range origSigs {
		if sig.KeyID != oldRootKeyID {
			sigs = append(sigs, sig)
		}
	}
	require.Len(t, sigs, 3)
	repo.Root.Signatures = sigs
	r.Signatures = sigs

	sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
	require.NoError(t, err)
	root, _, snapshot, _, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	_, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.NoError(t, err)
}
Exemple #21
0
// A valid root rotation requires the immediately previous root ROLE be satisfied,
// not just that there is a single root signature.  So if there were 2 keys, either
// of which can sign the root rotation, then either one of those keys can be used
// to sign the root rotation - not necessarily the one that signed the previous root.
func TestValidateRootRotationMultipleKeysThreshold1(t *testing.T) {
	gun := "docker.com/notary"
	repo, crypto, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	serverCrypto := testutils.CopyKeys(t, crypto, data.CanonicalTimestampRole)
	store := storage.NewMemStorage()

	// add a new root key to the root so that either can sign have to sign
	additionalRootKey, err := testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
	require.NoError(t, err)
	additionalRootID := additionalRootKey.ID()
	repo.Root.Signed.Keys[additionalRootID] = additionalRootKey
	repo.Root.Signed.Roles[data.CanonicalRootRole].KeyIDs = append(
		repo.Root.Signed.Roles[data.CanonicalRootRole].KeyIDs, additionalRootID)

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	require.Len(t, r.Signatures, 2)
	// make sure the old root was just signed with the first key
	for _, sig := range r.Signatures {
		if sig.KeyID != additionalRootID {
			r.Signatures = []data.Signature{sig}
			break
		}
	}
	require.Len(t, r.Signatures, 1)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	// set the original root in the store
	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}
	require.NoError(t, store.UpdateMany(gun, updates))

	// replace the keys with just 1 key
	rotatedRootKey, err := testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
	require.NoError(t, err)
	rotatedRootID := rotatedRootKey.ID()
	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, rotatedRootKey))

	r, err = repo.SignRoot(data.DefaultExpires(data.CanonicalRootRole))
	require.NoError(t, err)
	require.Len(t, r.Signatures, 3)
	// delete all signatures except the additional key (which didn't sign the
	// previous root) and the new key
	sigs := make([]data.Signature, 0, 2)
	for _, sig := range repo.Root.Signatures {
		if sig.KeyID == additionalRootID || sig.KeyID == rotatedRootID {
			sigs = append(sigs, sig)
		}
	}
	require.Len(t, sigs, 2)
	repo.Root.Signatures = sigs
	r.Signatures = sigs

	sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
	require.NoError(t, err)

	root, _, snapshot, _, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)
	root.Version = repo.Root.Signed.Version
	snapshot.Version = repo.Snapshot.Signed.Version
	_, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.NoError(t, err)
}
Exemple #22
0
// A valid root rotation only cares about the immediately previous old root keys,
// whether or not there are old root roles
func TestValidateRootRotationWithOldSigs(t *testing.T) {
	gun := "docker.com/notary"
	repo, crypto, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)
	serverCrypto := testutils.CopyKeys(t, crypto, data.CanonicalTimestampRole)
	store := storage.NewMemStorage()

	r, tg, sn, ts, err := testutils.Sign(repo)
	require.NoError(t, err)
	root, targets, snapshot, timestamp, err := getUpdates(r, tg, sn, ts)
	require.NoError(t, err)

	// set the original root in the store
	updates := []storage.MetaUpdate{root, targets, snapshot, timestamp}
	require.NoError(t, store.UpdateMany(gun, updates))

	// rotate the root key, sign with both keys, and update - update should succeed
	newRootKey, err := testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
	require.NoError(t, err)
	newRootID := newRootKey.ID()

	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, newRootKey))
	r, _, sn, _, err = testutils.Sign(repo)
	require.NoError(t, err)
	root, _, snapshot, _, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)
	root.Version = repo.Root.Signed.Version
	snapshot.Version = repo.Snapshot.Signed.Version

	updates, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.NoError(t, err)
	require.NoError(t, store.UpdateMany(gun, updates))

	// the next root does NOT need to be signed by both keys, because we only care
	// about signing with both keys if the root keys have changed (signRoot again to bump the version)

	r, err = repo.SignRoot(data.DefaultExpires(data.CanonicalRootRole))
	require.NoError(t, err)
	// delete all signatures except the one with the new key
	for _, sig := range repo.Root.Signatures {
		if sig.KeyID == newRootID {
			r.Signatures = []data.Signature{sig}
			repo.Root.Signatures = r.Signatures
			break
		}
	}
	sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
	require.NoError(t, err)

	root, _, snapshot, _, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)
	root.Version = repo.Root.Signed.Version
	snapshot.Version = repo.Snapshot.Signed.Version
	updates, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.NoError(t, err)
	require.NoError(t, store.UpdateMany(gun, updates))

	// another root rotation requires only the previous and new keys, and not the
	// original root key even though that original role is still in the metadata

	newRootKey2, err := testutils.CreateKey(crypto, gun, data.CanonicalRootRole, data.ECDSAKey)
	require.NoError(t, err)
	newRootID2 := newRootKey2.ID()

	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalRootRole, newRootKey2))
	r, err = repo.SignRoot(data.DefaultExpires(data.CanonicalRootRole))
	require.NoError(t, err)
	// delete all signatures except the ones with the first and second new keys
	sigs := make([]data.Signature, 0, 2)
	for _, sig := range repo.Root.Signatures {
		if sig.KeyID == newRootID || sig.KeyID == newRootID2 {
			sigs = append(sigs, sig)
		}
	}
	require.Len(t, sigs, 2)
	repo.Root.Signatures = sigs
	r.Signatures = sigs

	sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
	require.NoError(t, err)

	root, _, snapshot, _, err = getUpdates(r, tg, sn, ts)
	require.NoError(t, err)
	root.Version = repo.Root.Signed.Version
	snapshot.Version = repo.Snapshot.Signed.Version
	_, err = validateUpdate(serverCrypto, gun, []storage.MetaUpdate{root, snapshot}, store)
	require.NoError(t, err)
}
Exemple #23
0
// Test the cases in which GenerateSnapshot fails
func TestGenerateSnapshotInvalidOperations(t *testing.T) {
	gun := "docker.com/notary"
	repo, cs, err := testutils.EmptyRepo(gun)
	require.NoError(t, err)

	// make snapshot have 2 keys and a threshold of 2
	snapKeys := make([]data.PublicKey, 2)
	for i := 0; i < 2; i++ {
		snapKeys[i], err = cs.Create(data.CanonicalSnapshotRole, gun, data.ECDSAKey)
		require.NoError(t, err)
	}

	require.NoError(t, repo.ReplaceBaseKeys(data.CanonicalSnapshotRole, snapKeys...))
	repo.Root.Signed.Roles[data.CanonicalSnapshotRole].Threshold = 2

	meta, err := testutils.SignAndSerialize(repo)
	require.NoError(t, err)

	for _, prevSnapshot := range []*data.SignedSnapshot{nil, repo.Snapshot} {
		// copy keys, since we expect one of these generation attempts to succeed and we do
		// some key deletion tests later
		newCS := testutils.CopyKeys(t, cs, data.CanonicalSnapshotRole)

		// --- we can't generate a snapshot if the root isn't loaded
		builder := tuf.NewRepoBuilder(gun, newCS, trustpinning.TrustPinConfig{})
		_, _, err := builder.GenerateSnapshot(prevSnapshot)
		require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
		require.Contains(t, err.Error(), "root must be loaded first")
		require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))

		// --- we can't generate a snapshot if the targets isn't loaded and we have no previous snapshot,
		// --- but if we have a previous snapshot with a valid targets, we're good even if no snapshot
		// --- is loaded
		require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
		_, _, err = builder.GenerateSnapshot(prevSnapshot)
		if prevSnapshot == nil {
			require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
			require.Contains(t, err.Error(), "targets must be loaded first")
			require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
		} else {
			require.NoError(t, err)
		}

		// --- we can't generate a snapshot if we've loaded the timestamp already
		builder = tuf.NewRepoBuilder(gun, newCS, trustpinning.TrustPinConfig{})
		require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
		if prevSnapshot == nil {
			require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
		}
		require.NoError(t, builder.Load(data.CanonicalTimestampRole, meta[data.CanonicalTimestampRole], 1, false))

		_, _, err = builder.GenerateSnapshot(prevSnapshot)
		require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
		require.Contains(t, err.Error(), "cannot generate snapshot if timestamp has already been loaded")
		require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))

		// --- we cannot generate a snapshot if we've already loaded a snapshot
		builder = tuf.NewRepoBuilder(gun, newCS, trustpinning.TrustPinConfig{})
		require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
		if prevSnapshot == nil {
			require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
		}
		require.NoError(t, builder.Load(data.CanonicalSnapshotRole, meta[data.CanonicalSnapshotRole], 1, false))

		_, _, err = builder.GenerateSnapshot(prevSnapshot)
		require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
		require.Contains(t, err.Error(), "snapshot has already been loaded")

		// --- we cannot generate a snapshot if we can't satisfy the role threshold
		for i := 0; i < len(snapKeys); i++ {
			require.NoError(t, newCS.RemoveKey(snapKeys[i].ID()))
			builder = tuf.NewRepoBuilder(gun, newCS, trustpinning.TrustPinConfig{})
			require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
			if prevSnapshot == nil {
				require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
			}

			_, _, err = builder.GenerateSnapshot(prevSnapshot)
			require.IsType(t, signed.ErrInsufficientSignatures{}, err)
			require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
		}

		// --- we cannot generate a snapshot if we don't have a cryptoservice
		builder = tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
		require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
		if prevSnapshot == nil {
			require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
		}

		_, _, err = builder.GenerateSnapshot(prevSnapshot)
		require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
		require.Contains(t, err.Error(), "cannot generate snapshot without a cryptoservice")
		require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
	}

	// --- we can't generate a snapshot if we're given an invalid previous snapshot (for instance, an empty one),
	// --- even if we have a targets loaded
	builder := tuf.NewRepoBuilder(gun, cs, trustpinning.TrustPinConfig{})
	require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
	require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))

	_, _, err = builder.GenerateSnapshot(&data.SignedSnapshot{})
	require.IsType(t, data.ErrInvalidMetadata{}, err)
	require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
}