This repository has been archived by the owner on Mar 29, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
WIP: Timeserver key rotation #171
Open
awwad
wants to merge
17
commits into
develop
Choose a base branch
from
timeserver_key_rotation
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
awwad
force-pushed
the
timeserver_key_rotation
branch
from
March 7, 2019 18:36
cc39767
to
7ce880d
Compare
awwad
force-pushed
the
timeserver_key_rotation
branch
3 times, most recently
from
March 12, 2019 16:44
3aa0567
to
fca8f8d
Compare
handling fast-forward attacks that hijack the timeserver key to push current time to some value in the future, expiring all metadata and preventing update. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in clients secondary.py and primary.py. The mechanism for retrieving metadata from the TAP4-conforming multi-repository-updater is the Updater.get_metadata() call. Note that until the test metadata includes timeserver keys, the tests will still fail. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
awwad
force-pushed
the
timeserver_key_rotation
branch
from
March 15, 2019 17:43
fca8f8d
to
3bd9c6b
Compare
3 tasks
(to match uptuf's old expectations regarding role capitalization). Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
The prior modifications in this PR caused a failure case: an <else:raise> was missing. If an error occurred obtaining verified metadata, and there was no timeserver key rotation, we weren't raising the error. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in JSON only. samples/timeserver_key_rotated has metadata that is updated from samples/initial_w_no_update, with later version of Root, Snapshot, and Timestamp, that allow a full verification Primary or Secondary to verify a new Timeserver key. For use with upcoming testing. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- Do not add timeserver keys to the image repo root metadata test/sample data. - Add the public key value where appropriate, not just the keyid. - Re-sign. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
awwad
force-pushed
the
timeserver_key_rotation
branch
from
March 19, 2019 23:17
dd911ed
to
77dcc9d
Compare
- Correct the code handling Timeserver key rotation to recognize that keyids+threshold is what is listed in the 'role' metadata in Root, and to use that to obtain the full public key value from tuf.keydb. - Also performs the actual update of the client's noted Timeserver key. In a future commit, this should probably be modified a bit such that the clients just use the value from metadata via get_metadata() calls instead of caching the value (since in this implementation, the Timeserver key information will be in every Root version). - Make notes where more duplicate code has been added to primary.py and secondary.py. - Slightly reorganize code in refresh_toplevel_metadata_from_repositories. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
The test feeds in two sets of metadata, the second of which has a different Timeserver key listed. This checks to make sure that the key change is taken into account by the clients, but it does not yet test the fast-forward attack. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
This is the value used in all_valid_timeserver_times() after a Timeserver key rotation, and is also the value used to set tuf.conf.CLOCK_OVERRIDE. They were previously set to time.gmtime(0), which is the wrong type. They are now correctly set to an iso8601 value. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
awwad
force-pushed
the
timeserver_key_rotation
branch
from
March 25, 2019 19:36
d2a93be
to
0d27264
Compare
test_secondary.test_95_timeserver_fastforward_attack We add an additional test client (bringing us to 4 test Secondary clients). Resolution uses rotation of the Timeserver key. See: - #173 - uptane/uptane-standard#41 This commit also improves the prior test added in this PR, test_90_timeserver_key_rotation, adding a few checks and improving readability and comments. This requires a bit more editing. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
awwad
force-pushed
the
timeserver_key_rotation
branch
from
March 25, 2019 19:37
0d27264
to
603284a
Compare
Now that a local uptuf branch has had some issues fixed, I got through to this line and saw an obvious issue. :) Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
THIS COMMIT SHOULD NOT BE MERGED AND IS HERE FOR TESTING PURPOSES. The uptuf branch pointed to here is expected to be merged into develop, at which point this commit will cease to make sense. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Adjust the timeserver fast-forward attack test in this PR to anticipate the merging of PR 179. PR 179 enforces that the Director repository is updated before other repositories. This is required by the Uptane Standard, and is also useful in handling the fast-forward attack. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
This is important for conformance to the Uptane Standard and to be able to resolve Timeserver fast-forward attacks. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
This was referenced Mar 27, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the last PR in a series of four intended to handle Issue #173.
This PR adds timeserver key rotation through root metadata, handling fast-forward attacks that hijack the timeserver key to push current time to some value in the future, expiring all metadata and preventing update.
Fixes #173
Note that this will not be polished and merged until after: