/*
ValidateRoot receives a new root, validates its correctness and attempts to
do root key rotation if needed.
First we list the current trusted certificates we have for a particular GUN. If
that list is non-empty means that we've already seen this repository before, and
have a list of trusted certificates for it. In this case, we use this list of
certificates to attempt to validate this root file.
If the previous validation suceeds, or in the case where we found no trusted
certificates for this particular GUN, we check the integrity of the root by
making sure that it is validated by itself. This means that we will attempt to
validate the root data with the certificates that are included in the root keys
themselves.
If this last steps succeeds, we attempt to do root rotation, by ensuring that
we only trust the certificates that are present in the new root.
This mechanism of operation is essentially Trust On First Use (TOFU): if we
have never seen a certificate for a particular CN, we trust it. If later we see
a different certificate for that certificate, we return an ErrValidationFailed error.
Note that since we only allow trust data to be downloaded over an HTTPS channel
we are using the current public PKI to validate the first download of the certificate
adding an extra layer of security over the normal (SSH style) trust model.
We shall call this: TOFUS.
*/
func (km *KeyStoreManager) ValidateRoot(root *data.Signed, gun string) error {
logrus.Debugf("entered ValidateRoot with dns: %s", gun)
signedRoot, err := data.RootFromSigned(root)
if err != nil {
return err
}
// Retrieve all the leaf certificates in root for which the CN matches the GUN
allValidCerts, err := validRootLeafCerts(signedRoot, gun)
if err != nil {
logrus.Debugf("error retrieving valid leaf certificates for: %s, %v", gun, err)
return &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
}
// Retrieve all the trusted certificates that match this gun
certsForCN, err := km.trustedCertificateStore.GetCertificatesByCN(gun)
if err != nil {
// If the error that we get back is different than ErrNoCertificatesFound
// we couldn't check if there are any certificates with this CN already
// trusted. Let's take the conservative approach and return a failed validation
if _, ok := err.(*trustmanager.ErrNoCertificatesFound); !ok {
logrus.Debugf("error retrieving trusted certificates for: %s, %v", gun, err)
return &ErrValidationFail{Reason: "unable to retrieve trusted certificates"}
}
}
// If we have certificates that match this specific GUN, let's make sure to
// use them first to validate that this new root is valid.
if len(certsForCN) != 0 {
logrus.Debugf("found %d valid root certificates for %s", len(certsForCN), gun)
err = signed.VerifyRoot(root, 0, trustmanager.CertsToKeys(certsForCN))
if err != nil {
logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
return &ErrValidationFail{Reason: "failed to validate data with current trusted certificates"}
}
} else {
logrus.Debugf("found no currently valid root certificates for %s", gun)
}
// Validate the integrity of the new root (does it have valid signatures)
err = signed.VerifyRoot(root, 0, trustmanager.CertsToKeys(allValidCerts))
if err != nil {
logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
return &ErrValidationFail{Reason: "failed to validate integrity of roots"}
}
// Getting here means A) we had trusted certificates and both the
// old and new validated this root; or B) we had no trusted certificates but
// the new set of certificates has integrity (self-signed)
logrus.Debugf("entering root certificate rotation for: %s", gun)
// Do root certificate rotation: we trust only the certs present in the new root
// First we add all the new certificates (even if they already exist)
for _, cert := range allValidCerts {
err := km.trustedCertificateStore.AddCert(cert)
if err != nil {
// If the error is already exists we don't fail the rotation
if _, ok := err.(*trustmanager.ErrCertExists); ok {
logrus.Debugf("ignoring certificate addition to: %s", gun)
continue
}
logrus.Debugf("error adding new trusted certificate for: %s, %v", gun, err)
}
}
// Now we delete old certificates that aren't present in the new root
for certID, cert := range certsToRemove(certsForCN, allValidCerts) {
logrus.Debugf("removing certificate with certID: %s", certID)
err = km.trustedCertificateStore.RemoveCert(cert)
if err != nil {
logrus.Debugf("failed to remove trusted certificate with keyID: %s, %v", certID, err)
return &ErrRootRotationFail{Reason: "failed to rotate root keys"}
}
}
logrus.Debugf("Root validation succeeded for %s", gun)
return nil
}
// checkRoot returns true if no rotation, or a valid
// rotation has taken place, and the threshold number of signatures
// are valid.
func checkRoot(oldRoot, newRoot *data.SignedRoot) error {
rootRole := data.RoleName(data.CanonicalRootRole)
targetsRole := data.RoleName(data.CanonicalTargetsRole)
snapshotRole := data.RoleName(data.CanonicalSnapshotRole)
timestampRole := data.RoleName(data.CanonicalTimestampRole)
var oldRootRole *data.RootRole
newRootRole, ok := newRoot.Signed.Roles[rootRole]
if !ok {
return errors.New("new root is missing role entry for root role")
}
oldThreshold := 1
rotation := false
oldKeys := map[string]data.PublicKey{}
newKeys := map[string]data.PublicKey{}
if oldRoot != nil {
// check for matching root key IDs
oldRootRole = oldRoot.Signed.Roles[rootRole]
oldThreshold = oldRootRole.Threshold
for _, kid := range oldRootRole.KeyIDs {
k, ok := oldRoot.Signed.Keys[kid]
if !ok {
// if the key itself wasn't contained in the root
// we're skipping it because it could never have
// been used to validate this root.
continue
}
oldKeys[kid] = data.NewPublicKey(k.Algorithm(), k.Public())
}
// super simple check for possible rotation
rotation = len(oldKeys) != len(newRootRole.KeyIDs)
}
// if old and new had the same number of keys, iterate
// to see if there's a difference.
for _, kid := range newRootRole.KeyIDs {
k, ok := newRoot.Signed.Keys[kid]
if !ok {
// if the key itself wasn't contained in the root
// we're skipping it because it could never have
// been used to validate this root.
continue
}
newKeys[kid] = data.NewPublicKey(k.Algorithm(), k.Public())
if oldRoot != nil {
if _, ok := oldKeys[kid]; !ok {
// if there is any difference in keys, a key rotation may have
// occurred.
rotation = true
}
}
}
newSigned, err := newRoot.ToSigned()
if err != nil {
return err
}
if rotation {
err = signed.VerifyRoot(newSigned, oldThreshold, oldKeys)
if err != nil {
return fmt.Errorf("rotation detected and new root was not signed with at least %d old keys", oldThreshold)
}
}
err = signed.VerifyRoot(newSigned, newRootRole.Threshold, newKeys)
if err != nil {
return err
}
root, err := data.RootFromSigned(newSigned)
if err != nil {
return err
}
// at a minimum, check the 4 required roles are present
for _, r := range []string{rootRole, targetsRole, snapshotRole, timestampRole} {
role, ok := root.Signed.Roles[r]
if !ok {
return fmt.Errorf("missing required %s role from root", r)
}
if role.Threshold < 1 {
return fmt.Errorf("%s role has invalid threshold", r)
}
if len(role.KeyIDs) < role.Threshold {
return fmt.Errorf("%s role has insufficient number of keys", r)
}
}
return nil
}
// checkRoot errors if an invalid rotation has taken place, if the
// threshold number of signatures is invalid, if there are an invalid
// number of roles and keys, or if the timestamp keys are invalid
func checkRoot(oldRoot, newRoot *data.SignedRoot, timestampKey data.PublicKey) error {
rootRole := data.CanonicalRootRole
targetsRole := data.CanonicalTargetsRole
snapshotRole := data.CanonicalSnapshotRole
timestampRole := data.CanonicalTimestampRole
var oldRootRole *data.RootRole
newRootRole, ok := newRoot.Signed.Roles[rootRole]
if !ok {
return errors.New("new root is missing role entry for root role")
}
oldThreshold := 1
rotation := false
oldKeys := map[string]data.PublicKey{}
newKeys := map[string]data.PublicKey{}
if oldRoot != nil {
// check for matching root key IDs
oldRootRole = oldRoot.Signed.Roles[rootRole]
oldThreshold = oldRootRole.Threshold
for _, kid := range oldRootRole.KeyIDs {
k, ok := oldRoot.Signed.Keys[kid]
if !ok {
// if the key itself wasn't contained in the root
// we're skipping it because it could never have
// been used to validate this root.
continue
}
oldKeys[kid] = data.NewPublicKey(k.Algorithm(), k.Public())
}
// super simple check for possible rotation
rotation = len(oldKeys) != len(newRootRole.KeyIDs)
}
// if old and new had the same number of keys, iterate
// to see if there's a difference.
for _, kid := range newRootRole.KeyIDs {
k, ok := newRoot.Signed.Keys[kid]
if !ok {
// if the key itself wasn't contained in the root
// we're skipping it because it could never have
// been used to validate this root.
continue
}
newKeys[kid] = data.NewPublicKey(k.Algorithm(), k.Public())
if oldRoot != nil {
if _, ok := oldKeys[kid]; !ok {
// if there is any difference in keys, a key rotation may have
// occurred.
rotation = true
}
}
}
newSigned, err := newRoot.ToSigned()
if err != nil {
return err
}
if rotation {
err = signed.VerifyRoot(newSigned, oldThreshold, oldKeys)
if err != nil {
return fmt.Errorf("rotation detected and new root was not signed with at least %d old keys", oldThreshold)
}
}
err = signed.VerifyRoot(newSigned, newRootRole.Threshold, newKeys)
if err != nil {
return err
}
root, err := data.RootFromSigned(newSigned)
if err != nil {
return err
}
var timestampKeyIDs []string
// at a minimum, check the 4 required roles are present
for _, r := range []string{rootRole, targetsRole, snapshotRole, timestampRole} {
role, ok := root.Signed.Roles[r]
if !ok {
return fmt.Errorf("missing required %s role from root", r)
}
// According to the TUF spec, any role may have more than one signing
// key and require a threshold signature. However, notary-server
// creates the timestamp, and there is only ever one, so a threshold
// greater than one would just always fail validation
if (r == timestampRole && role.Threshold != 1) || role.Threshold < 1 {
return fmt.Errorf("%s role has invalid threshold", r)
}
if len(role.KeyIDs) < role.Threshold {
return fmt.Errorf("%s role has insufficient number of keys", r)
}
if r == timestampRole {
timestampKeyIDs = role.KeyIDs
}
}
// ensure that at least one of the timestamp keys specified in the role
// actually exists
for _, keyID := range timestampKeyIDs {
if timestampKey.ID() == keyID {
return nil
}
}
return fmt.Errorf("none of the following timestamp keys exist: %s",
strings.Join(timestampKeyIDs, ", "))
}